initial commit

refpolicy/Makefile

@@ -0,0 +1,185 @@
+########################################
+#
+# Configurable portions of the Makefile
+#
+
+# Build compatibility policies 
+POLICYCOMPAT = -c 18
+
+# set distribution
+#override M4PARAM += -D distro_redhat
+
+# Uncomment this to disable command echoing
+#QUIET:=@
+
+########################################
+#
+# Invariant portions of the Makefile
+#
+
+# executable paths
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKPOLICY := $(BINDIR)/checkpolicy
+SETFILES := $(SBINDIR)/setfiles
+
+# determine the policy version and current kernel version if possible
+PV := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
+KV := $(shell cat /selinux/policyvers)
+
+# dont print version warnings if we are unable to determine
+# the currently running kernel's policy version
+ifeq ($(KV),)
+KV := $(PV)
+endif
+
+FC := file_contexts
+POLVER := policy.$(PV)
+TYPE := strict
+
+# install paths
+TOPDIR = $(DESTDIR)/etc/selinux
+INSTALLDIR = $(TOPDIR)/$(TYPE)
+POLICYPATH = $(INSTALLDIR)/policy
+SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
+CONTEXTPATH = $(INSTALLDIR)/contexts
+LOADPATH = $(POLICYPATH)/$(POLVER)
+FCPATH = $(CONTEXTPATH)/files/file_contexts
+HOMEDIRPATH = $(CONTEXTPATH)/files/homedir_template
+
+BASE_MODULE = kernel
+FLASKDIR = $(BASE_MODULE)/flask/
+MISCDIR = $(BASE_MODULE)/misc/
+
+DETECTED_DIRS := $(shell find $(wildcard *) -maxdepth 0 -type d)
+ALL_MODULES := $(filter-out tmp,$(DETECTED_DIRS))
+
+PRE_TE_FILES := $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
+ALL_INTERFACES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.if))
+ALL_TE_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.te))
+POST_TE_FILES := $(addprefix $(MISCDIR),users constraints mls initial_sid_contexts fs_use genfs_contexts)
+
+ALL_FC_FILES := $(foreach dir,$(ALL_MODULES),$(wildcard $(dir)/*.fc))
+
+POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf
+
+override M4PARAM += -D monolithic_policy
+
+########################################
+#
+# default action: build policy locally
+#
+default: policy
+
+policy: $(POLVER)
+
+install: $(LOADPATH)
+
+########################################
+#
+# Build a binary policy locally
+#
+$(POLVER): policy.conf
+ifneq ($(PV),$(KV))
+	@echo
+	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
+	@echo
+endif
+	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(POLVER)
+
+########################################
+#
+# Install a binary policy
+#
+$(LOADPATH): policy.conf
+	@mkdir -p $(POLICYPATH)
+ifneq ($(PV),$(KV))
+	@echo
+	@echo "WARNING: Policy version mismatch!  Is your POLICYCOMPAT set correctly?"
+	@echo
+endif
+	$(QUIET) $(CHECKPOLICY) $(POLICYCOMPAT) $^ -o $(LOADPATH)
+
+########################################
+#
+# Construct a monolithic policy.conf
+#
+policy.conf: $(POLICY_SECTIONS)
+	$(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp
+	$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
+	$(QUIET) # the ordering of these ocontexts matters:
+	$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
+	$(QUIET) grep ^netifcon tmp/$@.tmp >> $@ || true
+	$(QUIET) grep ^nodecon tmp/$@.tmp >> $@ || true
+
+tmp/pre_te_files.conf: $(PRE_TE_FILES)
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) echo "define(\`per_userdomain_templates',\`" > $@
+	$(QUIET) for i in $(ALL_MODULES); do \
+		echo "ifdef(\`""$$i""_per_userdomain_template',\`""$$i""_per_userdomain_template("'$$1'")')" \
+			>> $@ ;\
+	done
+	$(QUIET) echo "')" >> $@
+	$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
+		echo "define(\`$$i')" >> $@ ;\
+	done
+	$(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \
+		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@
+
+tmp/all_interfaces.conf: $(ALL_INTERFACES)
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+tmp/all_te_files.conf: $(ALL_TE_FILES)
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+tmp/post_te_files.conf: $(POST_TE_FILES)
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) cat $^ > $@
+
+# extract attributes and put them first. extract post te stuff
+# like genfscon and put last.  portcon, nodecon, and netifcon
+# is delayed since they are generated by m4
+tmp/all_attributes.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_files.conf tmp/post_te_files.conf
+	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attributes.conf || true
+	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
+	$(QUIET) sed -e /^attribute/d -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
+
+########################################
+#
+# Construct file_contexts
+#
+$(FC): $(ALL_FC_FILES)
+	@test -d tmp || mkdir -p tmp
+	$(QUIET) m4 $(M4PARAM) $^ > $@
+
+########################################
+#
+# Filesystem labeling
+#
+FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
+
+checklabels: $(SETFILES)
+	$(QUIET) $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
+
+restorelabels: $(SETFILES)
+	$(QUIET) $(SETFILES) -v $(FC) $(FILESYSTEMS)
+
+relabel:  $(FC) $(SETFILES)
+	$(QUIET) $(SETFILES) $(FC) $(FILESYSTEMS)
+
+clean:
+	rm -fR tmp
+	rm -f policy.conf
+	rm -f policy.$(PV)
+	rm -f $(FC)
+
+.PHONY: default clean policy install

refpolicy/policy/modules/kernel/bootloader.if

@@ -0,0 +1,144 @@
+########################################
+#
+# bootloader_install_kernel(domain,[`optional'])
+#
+define(`bootloader_install_kernel',`
+requires_block_template(bootloader_install_kernel_depend,$2)
+allow $1 boot_t:dir { getattr search read write add_name };
+allow $1 boot_t:file { getattr read write create };
+allow $1 boot_t:lnk_file { getattr read create unlink };
+')
+
+define(`bootloader_install_kernel_depend',`
+type boot_t;
+class dir { getattr search read write add_name };
+class file { getattr read write create };
+class lnk_file { getattr read create unlink };
+')
+
+########################################
+#
+# bootloader_install_initrd(domain,[`optional'])
+#
+define(`bootloader_install_initrd',`
+requires_block_template(bootloader_install_initrd_depend,$2)
+allow $1 boot_t:dir { getattr search read write add_name };
+allow $1 boot_t:file { getattr read write create };
+allow $1 boot_t:lnk_file { getattr read create unlink };
+')
+
+define(`bootloader_install_initrd_depend',`
+type boot_t;
+class dir { getattr search read write add_name };
+class file { getattr read write create };
+class lnk_file { getattr read create unlink };
+')
+
+########################################
+#
+# bootloader_install_kernel_symbol_table(domain,[`optional'])
+#
+define(`bootloader_install_kernel_symbol_table',`
+requires_block_template(bootloader_install_kernel_symbol_table_depend,$2)
+allow $1 boot_t:dir { getattr search read write add_name };
+allow $1 system_map_t:file { getattr read write create };
+')
+
+define(`bootloader_install_kernel_symbol_table_depend',`
+type boot_t, system_map_t;
+class dir { getattr search read write add_name };
+class file { getattr read write create };
+')
+
+########################################
+#
+# bootloader_read_kernel_symbol_table(domain,[`optional'])
+#
+define(`bootloader_read_kernel_symbol_table',`
+requires_block_template(bootloader_read_kernel_symbol_table_depend,$2)
+allow $1 boot_t:dir { getattr search read };
+allow $1 system_map_t:file { getattr read };
+')
+
+define(`bootloader_read_kernel_symbol_table_depend',`
+type boot_t, system_map_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# bootloader_remove_kernel(domain,[`optional'])
+#
+define(`bootloader_remove_kernel',`
+requires_block_template(bootloader_remove_kernel_depend,$2)
+allow $1 boot_t:dir { getattr search read write remove_name };
+allow $1 boot_t:file { getattr unlink };
+')
+
+define(`bootloader_remove_kernel_depend',`
+type boot_t;
+class dir { getattr search read write remove_name };
+class file { getattr unlink };
+')
+
+########################################
+#
+# bootloader_remove_kernel_symbol_table(domain,[`optional'])
+#
+define(`bootloader_remove_kernel_symbol_table',`
+requires_block_template(bootloader_remove_kernel_symbol_table_depend,$2)
+allow $1 boot_t:dir { getattr search read write remove_name };
+allow $1 system_map_t:file { getattr unlink };
+')
+
+define(`bootloader_remove_kernel_symbol_table_depend',`
+type boot_t, system_map_t;
+class dir { getattr search read write remove_name };
+class file { getattr unlink };
+')
+
+########################################
+#
+# bootloader_read_config(domain,[`optional'])
+#
+define(`bootloader_read_config',`
+requires_block_template(bootloader_read_config_depend,$2)
+allow $1 bootloader_etc_t:file { getattr read };
+')
+
+define(`bootloader_read_config_depend',`
+type bootloader_etc_t;
+class file { getattr read };
+')
+
+########################################
+#
+# bootloader_modify_config(domain,[`optional'])
+#
+define(`bootloader_modify_bootloader_config',`
+requires_block_template(bootloader_modify_config_depend,$2)
+allow $1 bootloader_etc_t:file { getattr read write append };
+')
+
+define(`bootloader_modify_bootloader_config_depend',`
+type bootloader_etc_t;
+class file { getattr read write append };
+')
+
+########################################
+#
+# bootloader_create_runtime_data(domain,[`optional'])
+#
+define(`bootloader_create_runtime_data',`
+requires_block_template(bootloader_create_runtime_data_depend,$2)
+allow $1 boot_t:dir { getattr search read write add_name remove_name };
+allow $1 boot_runtime_t:file { getattr create read write append unlink };
+type_transition $1 boot_t:file boot_runtime_t;
+')
+
+define(`bootloader_create_runtime_data_depend',`
+type boot_t, boot_runtime_t;
+class dir { getattr search read write add_name remove_name };
+class file { getattr create read write append unlink };
+')

refpolicy/policy/modules/kernel/bootloader.te

@@ -0,0 +1,198 @@
+type bootloader_t;
+domain_make_domain(bootloader_t)
+
+type bootloader_exec_t;
+domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
+
+#
+# boot_t is the type for files in /boot
+#
+type boot_t;
+files_make_file(boot_t)
+
+#
+# bootloader_etc_t is the configuration file,
+# grub.conf, lilo.conf, etc.
+#
+type bootloader_etc_t alias etc_bootloader_t;
+files_make_file(bootloader_etc_t)
+
+#
+# system_map_t is for the system.map files in /boot
+#
+type system_map_t;
+files_make_file(system_map_t)
+
+#
+# The temp file is used for initrd creation;
+# it consists of files and device nodes
+#
+type bootloader_tmp_t;
+files_make_file(bootloader_tmp_t)
+devices_make_device_node(bootloader_tmp_t)
+
+allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
+allow bootloader_t self:process { sigkill sigstop signull signal };
+allow bootloader_t self:fifo_file { getattr read write };
+
+kernel_stat_kernel_core_interface(bootloader_t)
+kernel_read_system_state(bootloader_t)
+kernel_read_software_raid_state(bootloader_t)
+kernel_read_kernel_sysctl(bootloader_t)
+
+storage_raw_read_fixed_disk(bootloader_t)
+storage_raw_write_fixed_disk(bootloader_t)
+storage_raw_read_removable_device(bootloader_t)
+storage_raw_write_removable_device(bootloader_t)
+
+# for reading BIOS data (cjp: ?)
+devices_raw_read_memory(bootloader_t)
+
+libraries_use_dynamic_loader(bootloader_t)
+libraries_read_shared_libraries(bootloader_t)
+
+files_read_general_system_config(bootloader_t)
+files_read_runtime_system_config(bootloader_t)
+files_read_system_source_code(bootloader_t)
+
+# uncomment the following line if you use "lilo -p"
+#files_create_private_config(bootloader_t,bootloader_etc_t)
+#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+
+filesystem_read_persistent_filesystem_stats(bootloader_t)
+
+terminal_use_controlling_terminal(bootloader_t)
+
+allow bootloader_t bootloader_etc_t:file { getattr read };
+
+define(`initrc_insmod_optional_policy', `
+modutils_insmod_execute(insmod_t)
+')
+
+miscfiles_read_localization(bootloader_t)
+
+devices_ignore_modify_generic_devices(bootloader_t)
+
+########################################
+#
+# mkinitrd policy
+#
+
+files_read_general_system_resources(bootloader_t)
+bootloader_install_initrd(bootloader_t)
+
+devices_get_random_data(bootloader_t)
+devices_get_pseudorandom_data(bootloader_t)
+corecommands_execute_general_programs(bootloader_t)
+corecommands_execute_system_programs(bootloader_t)
+corecommands_execute_shell(bootloader_t)
+
+selinux_read_binary_policy(bootloader_t)
+selinux_read_load_policy_binary(bootloader_t)
+
+modutils_read_kernel_modules(bootloader_t)
+modutils_read_kernel_module_dependencies(bootloader_t)
+modutils_read_kernel_module_loading_config(bootloader_t)
+
+logging_modify_system_logs(bootloader_t)
+
+files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
+allow bootloader_t bootloader_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
+allow bootloader_t bootloader_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow bootloader_t bootloader_tmp_t:chr_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow bootloader_t bootloader_tmp_t:blk_file { create ioctl read getattr lock write setattr append link unlink rename };
+allow bootloader_t bootloader_tmp_t:lnk_file { create read getattr setattr unlink rename };
+# for tune2fs (cjp: ?)
+files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t)
+
+################################################################################
+ifdef(`TODO',`
+
+# admin runs bootloader:
+domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
+allow bootloader_t admin_tty_type:chr_file rw_file_perms;
+allow bootloader_t privfd:fd use;
+
+allow bootloader_t { device_type ttyfile }:chr_file getattr;
+allow bootloader_t device_type:blk_file getattr;
+allow bootloader_t initctl_t:fifo_file getattr;
+
+# no transition from initrc to bootloader,
+# so why are these rules needed
+role system_r types bootloader_t;
+allow bootloader_t initrc_devpts_t:chr_file rw_file_perms; 
+allow bootloader_t initrc_t:fifo_file { read write };
+allow bootloader_t initrc_t:fd use;
+
+allow bootloader_t lib_t:file { getattr read };
+
+allow bootloader_t sysfs_t:dir getattr;
+
+allow bootloader_t var_t:dir search;
+allow bootloader_t var_t:file { getattr read };
+
+ifdef(`fsadm.te', `
+allow bootloader_t fsadm_exec_t:file { rx_file_perms execute_no_trans };
+')
+
+# LVM2 / Device Mapper's /dev/mapper/control
+# maybe we should change the labeling for this
+ifdef(`lvm.te', `
+allow bootloader_t lvm_control_t:chr_file rw_file_perms;
+domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
+allow lvm_t bootloader_tmp_t:file rw_file_perms;
+r_dir_file(bootloader_t, lvm_etc_t)
+')
+
+ifdef(`distro_debian', `
+allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+allow bootloader_t boot_t:file relabelfrom;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
+allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
+allow bootloader_t tmpfs_t:dir r_dir_perms;
+allow bootloader_t initrc_var_run_t:dir r_dir_perms;
+allow bootloader_t var_lib_t:dir search;
+allow bootloader_t dpkg_var_lib_t:dir r_dir_perms;
+allow bootloader_t dpkg_var_lib_t:file { getattr read };
+# for /usr/share/initrd-tools/scripts
+can_exec(bootloader_t, usr_t)
+')
+
+ifdef(`distro_redhat', `
+# for mke2fs
+domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
+allow mount_t bootloader_tmp_t:dir mounton;
+allow bootloader_t modules_object_t:lnk_file { getattr read };
+
+# new file system defaults to file_t, granting file_t access is still bad.
+allow bootloader_t file_t:dir create_dir_perms;
+allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
+allow bootloader_t file_t:lnk_file create_lnk_perms;
+allow bootloader_t self:unix_stream_socket create_socket_perms;
+allow bootloader_t boot_runtime_t:file { read getattr unlink };
+
+# for memlock
+allow bootloader_t zero_device_t:chr_file { getattr read };
+allow bootloader_t self:capability ipc_lock;
+')
+
+dontaudit bootloader_t selinux_config_t:dir search;
+dontaudit bootloader_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
+dontaudit bootloader_t devpts_t:dir create_dir_perms;
+# for nscd
+dontaudit bootloader_t var_run_t:dir search;
+
+') dnl end TODO
+
+########################################
+#
+# Conditional policy logic
+#
+
+ifdef(`monolithic_policy',`
+ifdef(`modutils.te',`initrc_insmod_optional_policy')
+',`
+optional modutils { modutils_insmod_execute_depend }
+ifopt (modutils) { initrc_insmod_optional_policy }
+') dnl end monolithic_policy

refpolicy/policy/modules/kernel/corenetwork.if

@@ -0,0 +1,317 @@
+#######################################
+#
+# corenetwork_send_tcp_on_general_interface(domain,[`optional'])
+#
+define(`corenetwork_send_tcp_on_general_interface',`
+requires_block_template(`corenetwork_send_tcp_on_general_interface_depend',$2)
+allow $1 netif_t:netif tcp_send;
+')
+
+define(`corenetwork_send_tcp_on_general_interface_depend',`
+type netif_t;
+class netif tcp_send;
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_general_interface(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_general_interface',`
+requires_block_template(`corenetwork_send_udp_on_general_interface_depend',$2)
+allow $1 netif_t:netif udp_send;
+')
+
+define(`corenetwork_send_udp_on_general_interface_depend',`
+type netif_t;
+class netif udp_send;
+')
+
+#######################################
+#
+# corenetwork_send_raw_on_general_interface(domain,[`optional'])
+#
+define(`corenetwork_send_raw_on_general_interface',`
+requires_block_template(`corenetwork_send_raw_on_general_interface_depend',$2)
+allow $1 netif_t:netif rawip_send;
+allow $1 self:capability net_raw;
+')
+
+define(`corenetwork_send_raw_on_general_interface_depend',`
+type netif_t;
+class netif rawip_send;
+class capability net_raw;
+')
+
+#######################################
+#
+# corenetwork_receive_tcp_on_general_interface(domain,[`optional'])
+#
+define(`corenetwork_receive_tcp_on_general_interface',`
+requires_block_template(`corenetwork_receive_tcp_on_general_interface_depend',$2)
+allow $1 netif_t:netif tcp_recv;
+')
+
+define(`corenetwork_receive_tcp_on_general_interface_depend',`
+type netif_t;
+class netif tcp_recv;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_general_interface(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_general_interface',`
+requires_block_template(`corenetwork_receive_udp_on_general_interface_depend',$2)
+allow $1 netif_t:netif udp_recv;
+')
+
+define(`corenetwork_receive_udp_on_general_interface_depend',`
+type netif_t;
+class netif udp_recv;
+')
+
+#######################################
+#
+# corenetwork_receive_raw_on_general_interface(domain,[`optional'])
+#
+define(`corenetwork_receive_raw_on_general_interface',`
+requires_block_template(`corenetwork_receive_raw_on_general_interface_depend',$2)
+allow $1 netif_t:netif rawip_recv;
+')
+
+define(`corenetwork_receive_raw_on_general_interface_depend',`
+type netif_t;
+class netif rawip_recv;
+')
+
+#######################################
+#
+# corenetwork_send_tcp_on_all_interfaces(domain,[`optional'])
+#
+define(`corenetwork_send_tcp_on_all_interfaces',`
+requires_block_template(`corenetwork_send_tcp_on_all_interfaces_depend',$2)
+allow $1 netif_type:netif tcp_send;
+')
+
+define(`corenetwork_send_tcp_on_all_interfaces_depend',`
+attribute all_netif_type;
+class netif tcp_send;
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_all_interfaces(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_all_interfaces',`
+requires_block_template(`corenetwork_send_udp_on_all_interfaces_depend',$2)
+allow $1 netif_type:netif udp_send;
+')
+
+define(`corenetwork_send_udp_on_all_interfaces_depend',`
+attribute netif_type;
+class netif udp_send;
+')
+
+#######################################
+#
+# corenetwork_send_raw_on_all_interfaces(domain,[`optional'])
+#
+define(`corenetwork_send_raw_on_all_interfaces',`
+requires_block_template(`corenetwork_send_raw_on_all_interfaces_depend',$2)
+allow $1 netif_type:netif rawip_send;
+allow $1 self:capability net_raw;
+')
+
+define(`corenetwork_send_raw_on_all_interfaces_depend',`
+attribute netif_type;
+class netif rawip_send;
+class capability net_raw;
+')
+
+#######################################
+#
+# corenetwork_receive_tcp_on_all_interfaces(domain,[`optional'])
+#
+define(`corenetwork_receive_tcp_on_all_interfaces',`
+requires_block_template(`corenetwork_receive_tcp_on_all_interfaces_depend',$2)
+allow $1 netif_type:netif tcp_recv;
+')
+
+define(`corenetwork_receive_tcp_on_all_interfaces_depend',`
+attribute netif_type;
+class netif tcp_recv;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_all_interfaces(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_all_interfaces',`
+requires_block_template(`corenetwork_receive_udp_on_all_interfaces_depend',$2)
+allow $1 netif_type:netif udp_recv;
+')
+
+define(`corenetwork_receive_udp_on_all_interfaces_depend',`
+attribute netif_type;
+class netif udp_recv;
+')
+
+#######################################
+#
+# corenetwork_receive_raw_on_all_interfaces(domain,[`optional'])
+#
+define(`corenetwork_receive_raw_on_all_interfaces',`
+requires_block_template(`corenetwork_receive_raw_on_all_interfaces_depend',$2)
+allow $1 netif_type:netif rawip_recv;
+')
+
+define(`corenetwork_receive_raw_on_all_interfaces_depend',`
+attribute netif_type;
+class netif rawip_recv;
+')
+
+########################################
+#
+# This section is processed through m4 to create real interfaces
+#
+########################################
+
+# dont generate anything but macros on this pass
+ifdef(`interface_pass',`
+define(`allow',`dnl')
+define(`type',`dnl')
+define(`attribute',`dnl')
+define(`portcon',`dnl')
+define(`devices_make_device_node',`dnl')
+')
+
+define(`create_netif_interfaces',``
+#######################################
+#
+# corenetwork_send_tcp_on_interface_$1(domain,[`optional'])
+#
+define(`corenetwork_send_tcp_on_interface_$1',`
+requires_block_template(`corenetwork_send_tcp_on_interface_$1_depend',dollarstwo)
+allow dollarsone $1_netif_t:netif tcp_send;
+')
+
+define(`corenetwork_send_tcp_on_interface_$1_depend',`
+type $1_netif_t;
+class netif tcp_send;
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_interface_$1(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_interface_$1',`
+requires_block_template(`corenetwork_send_udp_on_interface_$1_depend',dollarstwo)
+allow dollarsone $1_netif_t:netif udp_send;
+')
+
+define(`corenetwork_send_udp_on_interface_$1_depend',`
+type $1_netif_t;
+class netif udp_send;
+')
+
+#######################################
+#
+# corenetwork_send_raw_on_interface_$1(domain,[`optional'])
+#
+define(`corenetwork_send_raw_on_interface_$1',`
+requires_block_template(`corenetwork_send_raw_on_interface_$1_depend',dollarstwo)
+allow dollarsone $1_netif_t:netif rawip_send;
+allow dollarsone self:capability net_raw;
+')
+
+define(`corenetwork_send_raw_on_interface_$1_depend',`
+type $1_netif_t;
+class netif rawip_send;
+class capability net_raw;
+')
+
+#######################################
+#
+# corenetwork_receive_tcp_on_interface_$1(domain,[`optional'])
+#
+define(`corenetwork_receive_tcp_on_interface_$1',`
+requires_block_template(`corenetwork_receive_tcp_on_interface_$1_depend',dollarstwo)
+allow dollarsone $1_netif_t:netif tcp_recv;
+')
+
+define(`corenetwork_receive_tcp_on_interface_$1_depend',`
+type $1_netif_t;
+class netif tcp_recv;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_interface_$1(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_interface_$1',`
+requires_block_template(`corenetwork_receive_udp_on_interface_$1_depend',dollarstwo)
+allow dollarsone $1_netif_t:netif udp_recv;
+')
+
+define(`corenetwork_receive_udp_on_interface_$1_depend',`
+type $1_netif_t;
+class netif udp_recv;
+')
+
+#######################################
+#
+# corenetwork_receive_raw_on_interface_$1(domain,[`optional'])
+#
+define(`corenetwork_receive_raw_on_interface_$1',`
+requires_block_template(`corenetwork_receive_raw_on_interface_$1_depend',dollarstwo)
+allow dollarsone $1_netif_t:netif rawip_recv;
+')
+
+define(`corenetwork_receive_raw_on_interface_$1_depend',`
+type $1_netif_t;
+class netif rawip_recv;
+')
+'') dnl end create_interfaces
+
+#
+# network_interface(linux_interfacename)
+#
+define(`network_interface',`
+ifdef(`interface_pass',`
+create_netif_interfaces($1)
+',`
+type $1_netif_t alias netif_$1_t, netif_type;
+requires_block_template(`type unlabeled_t')
+netifcon $1 system_u:object_r:$1_netif_t system_u:object_r:unlabeled_t
+')
+')
+
+#
+# network_node(node_name,address,netmask)
+#
+define(`network_node',`
+ifdef(`interface_pass',`
+#create_node_interfaces($1)
+',`
+type $1_node_t alias node_$1_t, node_type;
+nodecon $2 $3 system_u:object_r:$1_node_t
+')
+')
+
+define(`declare_ports',`dnl
+ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
+portcon $2 $3 system_u:object_r:$1
+ifelse(`$4',`',`',`declare_ports($1,shiftn(3,$*))')dnl
+')
+
+#
+# network_port(port_name,protocol portnum [,protocol portnum[,...]])
+#
+define(`network_port',`
+ifdef(`interface_pass',`
+#create_port_interfaces($1)
+',`
+type $1_port_t, port_type;
+declare_ports($1_port_t,shift($*))
+')
+')

refpolicy/policy/modules/kernel/corenetwork.te

@@ -0,0 +1,114 @@
+attribute netif_type;
+attribute node_type;
+attribute port_type;
+attribute reserved_port_type;
+
+#
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
+#
+type tun_tap_device_t;
+devices_make_device_node(tun_tap_device_t)
+
+########################################
+#
+# Ports
+#
+
+#
+# port_t is the default type of INET port numbers.
+#
+type port_t, port_type;
+
+#
+# reserved_port_t is the type of INET port numbers below 1024.
+#
+type reserved_port_t, port_type, reserved_port_type;
+
+network_port(amanda, udp,10080, tcp,10080, udp,10081, tcp,10081, tcp,10082, tcp,10083)
+dnl network_port(biff) # no defined portcon in current strict
+network_port(dbskkd, tcp,1178)
+network_port(dhcpc, udp,68)
+network_port(dhcpd, udp,67)
+network_port(dict, tcp,2628)
+network_port(dns, udp,53, tcp,53)
+network_port(fingerd, tcp,79)
+network_port(ftp_data, tcp,20)
+network_port(ftp, tcp,21)
+network_port(http_cache, tcp,3128, udp,3130, tcp,8080)
+network_port(http, tcp,80, tcp,443)
+network_port(inetd_child, tcp,7, udp,7, tcp,9, udp,9, tcp,13, udp,13, tcp,19, udp,19, tcp,37, udp,37, tcp,113, tcp,512, tcp,543, tcp,544, tcp,891, udp,891, tcp,892, udp,892, tcp,2105)
+network_port(innd, tcp,119)
+network_port(ipp, tcp,631, udp,631)
+network_port(kerberos_admin, tcp,464, udp,464, tcp,749)
+network_port(kerberos_master, tcp,4444, udp,4444)
+network_port(kerberos, tcp,88, udp,88, tcp,750, udp,750)
+network_port(ldap, tcp,389, udp,389, tcp,636, udp,636)
+network_port(mail, tcp,2000)
+network_port(nmbd, udp,137, udp,138, udp,139)
+network_port(pop, tcp,106, tcp,109, tcp,110)
+network_port(portmap, udp,111, tcp,111)
+network_port(printer, tcp,515)
+network_port(pxe, udp,4011)
+network_port(radacct, udp,1646, udp,1813)
+network_port(radius, udp,1645, udp,1812)
+network_port(rsh, tcp,514)
+network_port(smbd, tcp,137-139, tcp,445)
+network_port(smtp, tcp,25, tcp,465, tcp,587)
+network_port(snmp, udp,161, udp,162, tcp,199)
+network_port(ssh, tcp,22)
+dnl network_port(stunnel) # no defined portcon in current strict
+network_port(swat, tcp,901)
+network_port(syslogd, udp,514)
+network_port(telnetd, tcp,23)
+network_port(tftp, udp,69)
+network_port(vnc, tcp,5900)
+network_port(xserver, tcp,6001, tcp,6002, tcp,6003, tcp,6004, tcp,6005, tcp,6006, tcp,6007, tcp,6008, tcp,6009, tcp,6010, tcp,6011, tcp,6012, tcp,6013, tcp,6014, tcp,6015, tcp,6016, tcp,6017, tcp,6018, tcp,6019)
+network_port(zebra, tcp,2601)
+
+# Defaults for reserved ports.  Earlier portcon entries take precedence;
+# these entries just cover any remaining reserved ports not otherwise
+# declared or omitted due to removal of a domain.
+portcon tcp 1-1023 system_u:object_r:reserved_port_t
+portcon udp 1-1023 system_u:object_r:reserved_port_t
+
+########################################
+#
+# Network nodes
+#
+
+#
+# node_t is the default type of network nodes.
+# The node_*_t types are used for specific network
+# nodes in net_contexts or net_contexts.mls.
+#
+type node_t, node_type;
+
+network_node(compat_ipv4, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
+network_node(inaddr_any, 0.0.0.0, 255.255.255.255)
+dnl network_node(internal, , ) # no nodecon for this in current strict policy
+network_node(link_local, fe80::, ffff:ffff:ffff:ffff::, )
+network_node(lo, 127.0.0.1, 255.255.255.255)
+network_node(mapped_ipv4, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
+network_node(multicast, ff00::, ff00::)
+network_node(site_local, fec0::, ffc0::)
+network_node(unspec, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
+
+
+########################################
+#
+# Network Interfaces:
+#
+
+#
+# netif_t is the default type of network interfaces.
+#
+type netif_t, netif_type;
+
+network_interface(lo)
+network_interface(eth0)
+network_interface(eth1)
+network_interface(eth2)
+network_interface(ippp0)
+network_interface(ipsec0)
+network_interface(ipsec1)
+network_interface(ipsec2)

refpolicy/policy/modules/kernel/devices.if

@@ -0,0 +1,509 @@
+########################################
+#
+# devices_make_device_node(type,[`optional'])
+#
+define(`devices_make_device_node',`
+requires_block_template(devices_make_device_node_depend,$2)
+typeattribute $1 device_node;
+filesystem_associate($1,optional)
+')
+
+define(`devices_make_device_node_depend',`
+attribute device_node;
+filesystem_associate_depend
+')
+
+########################################
+#
+# devices_list_device_nodes(type,[`optional'])
+#
+define(`devices_list_device_nodes',`
+requires_block_template(devices_list_device_nodes_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 device_t:lnk_file { getattr read };
+')
+
+define(`devices_list_device_nodes_depend',`
+type device_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+')
+
+########################################
+#
+# devices_ignore_list_device_nodes(type,[`optional'])
+#
+define(`devices_ignore_list_device_nodes',`
+requires_block_template(devices_ignore_list_device_nodes_depend,$2)
+dontaudit $1 device_t:dir { getattr read search };
+')
+
+define(`devices_ignore_list_device_nodes_depend',`
+type device_t;
+class dir { getattr read search };
+')
+
+########################################
+#
+# devices_ignore_modify_generic_devices(type,[`optional'])
+#
+define(`devices_ignore_modify_generic_devices',`
+requires_block_template(devices_ignore_modify_generic_devices_depend,$2)
+dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
+')
+
+define(`devices_ignore_modify_generic_devices_depend',`
+type device_t;
+class chr_file { getattr read write ioctl };
+class blk_file { getattr read write ioctl };
+')
+
+########################################
+#
+# devices_create_dev_entry(domain,file,objectclass(es),[`optional'])
+#
+define(`devices_create_dev_entry',`
+requires_block_template(devices_set_dev_entry_depend,$4)
+allow $1 device_t:dir { getattr search read write add_name remove_name };
+type_transition $1 device_t:$3 $2;
+')
+
+define(`devices_set_dev_entry_depend',`
+type device_t;
+class dir { getattr search read write add_name remove_name };
+')
+
+########################################
+#
+# devices_raw_read_memory(domain,[`optional'])
+#
+define(`devices_raw_read_memory',`
+requires_block_template(devices_raw_read_memory_depend,$2)
+typeattribute $1 memory_raw_read;
+allow $1 device_t:dir { getattr read search };
+allow $1 memory_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_raw_read_memory_depend',`
+type device_t, memory_device_t;
+attribute memory_raw_read;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_raw_write_memory(domain,[`optional'])
+#
+define(`devices_raw_write_memory',`
+requires_block_template(devices_raw_write_memory_depend,$2)
+typeattribute $1 memory_raw_write
+allow $1 device_t:dir { getattr read search };
+allow $1 memory_device_t:chr_file write;
+')
+
+define(`devices_raw_write_memory_depend',`
+type device_t, memory_device_t;
+attribute memory_raw_write;
+class dir { getattr read search };
+class chr_file write;
+')
+
+########################################
+#
+# devices_get_random_data(domain,[`optional'])
+#
+define(`devices_get_random_data',`
+requires_block_template(devices_get_random_data_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 random_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_get_random_data_depend',`
+type device_t, random_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_get_pseudorandom_data(domain,[`optional'])
+#
+define(`devices_get_pseudorandom_data',`
+requires_block_template(devices_get_pseudorandom_data_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 urandom_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_get_pseudorandom_data_depend',`
+type device_t, urandom_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_add_entropy(domain,[`optional'])
+#
+define(`devices_add_entropy',`
+requires_block_template(devices_add_entropy_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 random_device_t:chr_file { getattr write ioctl };
+')
+
+define(`devices_add_entropy_depend',`
+type device_t, random_device_t;
+class dir { getattr read search };
+class chr_file { getattr write ioctl };
+')
+
+########################################
+#
+# devices_set_pseudorandom_seed(domain,[`optional'])
+#
+define(`devices_set_pseudorandom_seed',`
+requires_block_template(devices_set_pseudorandom_seed_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 urandom_device_t:chr_file { getattr write ioctl };
+')
+
+define(`devices_set_pseudorandom_seed_depend',`
+type device_t, urandom_device_t;
+class dir { getattr read search };
+class chr_file { getattr write ioctl };
+')
+
+########################################
+#
+# devices_discard_data_stream(domain,[`optional'])
+#
+define(`devices_discard_data_stream',`
+requires_block_template(devices_discard_data_stream_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 null_device_t:chr_file { getattr write };
+')
+
+define(`devices_discard_data_stream_depend',`
+type device_t, null_device_t;
+class device_t:dir { getattr read search };
+class chr_file { getattr write };
+')
+
+########################################
+#
+# devices_get_zeros(domain,[`optional'])
+#
+define(`devices_get_zeros',`
+requires_block_template(devices_get_zeros_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 zero_device_t:chr_file { getattr read };
+')
+
+define(`devices_get_zeros_depend',`
+type device_t, zero_device_t;
+class device_t:dir { getattr read search };
+class chr_file { getattr read };
+')
+
+########################################
+#
+# devices_read_realtime_clock(domain,[`optional'])
+#
+define(`devices_read_realtime_clock',`
+requires_block_template(devices_read_realtime_clock_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 clock_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_read_realtime_clock_depend',`
+type device_t, clock_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_record_sound_input(domain,[`optional'])
+#
+define(`devices_record_sound_input',`
+requires_block_template(devices_record_sound_input_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 sound_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_record_sound_input_depend',`
+type device_t, sound_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_play_sound(domain,[`optional'])
+#
+define(`devices_play_sound',`
+requires_block_template(devices_play_sound_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 sound_device_t:chr_file { getattr write ioctl };
+')
+
+define(`devices_play_sound_depend',`
+type device_t, sound_device_t;
+class dir { getattr read search };
+class chr_file { getattr write ioctl };
+')
+
+########################################
+#
+# devices_read_sound_mixer_levels(domain,[`optional'])
+#
+define(`devices_read_sound_mixer_levels',`
+requires_block_template(devices_read_sound_mixer_levels_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 sound_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_read_sound_mixer_levels_depend',`
+type device_t, sound_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_write_sound_mixer_levels(domain,[`optional'])
+#
+define(`devices_write_sound_mixer_levels',`
+requires_block_template(devices_write_sound_mixer_levels_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 sound_device_t:chr_file { getattr write ioctl };
+')
+
+define(`devices_write_sound_mixer_levels_depend',`
+type device_t, sound_device_t;
+class dir { getattr read search };
+class chr_file { getattr write ioctl };
+')
+
+########################################
+#
+# devices_direct_agp_access(domain,[`optional'])
+#
+define(`devices_direct_agp_access',`
+requires_block_template(devices_direct_agp_access_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 agp_device_t:chr_file { getattr read write ioctl };
+')
+
+define(`devices_direct_agp_access_depend',`
+type device_t, agp_device_t;
+class dir { getattr read search };
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+#
+# devices_use_direct_rendering_interface(domain,[`optional'])
+#
+define(`devices_use_direct_rendering_interface',`
+requires_block_template(devices_use_direct_rendering_interface_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 dri_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_use_direct_rendering_interface_depend',`
+type device_t, dri_device_t;
+class dir { getattr read search };
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+#
+# devices_read_mtrr(domain,[`optional'])
+#
+define(`devices_read_mtrr',`
+requires_block_template(devices_read_mtrr_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 mtrr_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_read_mtrr_depend',`
+type device_t, mtrr_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_write_mtrr(domain,[`optional'])
+#
+define(`devices_write_mtrr',`
+requires_block_template(devices_write_mtrr_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 mtrr_device_t:chr_file { getattr write ioctl };
+')
+
+define(`devices_write_mtrr_depend',`
+type device_t, mtrr_device_t;
+class chr_file { getattr write ioctl };
+')
+
+########################################
+#
+# devices_read_framebuffer(domain,[`optional'])
+#
+define(`devices_read_framebuffer',`
+requires_block_template(devices_read_framebuffer_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 framebuf_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_read_framebuffer_depend',`
+type framebuf_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_write_framebuffer(domain,[`optional'])
+#
+define(`devices_write_framebuffer',`
+requires_block_template(devices_write_framebuffer_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 framebuf_device_t:chr_file { getattr write ioctl };
+')
+
+define(`devices_write_framebuffer_depend',`
+type device_t, framebuf_device_t;
+class dir { getattr read search };
+class chr_file { getattr write ioctl };
+')
+
+########################################
+#
+# devices_read_misc(domain,[`optional'])
+#
+define(`devices_read_misc',`
+requires_block_template(devices_read_misc_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 misc_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_read_misc_depend',`
+type device_t, misc_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_write_misc(domain,[`optional'])
+#
+define(`devices_write_misc',`
+requires_block_template(devices_write_misc_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 misc_device_t:chr_file { getattr write ioctl };
+')
+
+define(`devices_write_misc_depend',`
+type device_t, misc_device_t;
+class dir { getattr read search };
+class chr_file { getattr write ioctl };
+')
+
+########################################
+#
+# devices_get_mouse_input(domain,[`optional'])
+#
+define(`devices_get_mouse_input',`
+requires_block_template(devices_get_mouse_input_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 mouse_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_get_mouse_input_depend',`
+type device_t, mouse_device_t;
+allow $1 device_t:dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_get_input_event(domain,[`optional'])
+#
+define(`devices_get_input_event',`
+requires_block_template(devices_get_input_event_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 event_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_get_input_event_depend',`
+type device_t, event_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_get_cpuid(domain,[`optional'])
+#
+define(`devices_get_cpuid',`
+requires_block_template(devices_get_cpuid_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 cpu_device_t:chr_file { getattr read ioctl };
+')
+
+define(`devices_get_cpuid_depend',`
+type device_t, cpu_device_t;
+class dir { getattr read search };
+class chr_file { getattr read ioctl };
+')
+
+########################################
+#
+# devices_load_cpu_microcode(domain,[`optional'])
+#
+define(`devices_load_cpu_microcode',`
+requires_block_template(devices_load_cpu_microcode_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 cpu_device_t:chr_file { getattr read write ioctl };
+')
+
+define(`devices_load_cpu_microcode_depend',`
+type device_t, cpu_device_t;
+class dir { getattr read search };
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+#
+# devices_use_scanner(domain,[`optional'])
+#
+define(`devices_use_scanner',`
+requires_block_template(devices_use_scanner_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 scanner_device_t:chr_file { getattr read write ioctl };
+')
+
+define(`devices_use_scanner_depend',`
+type device_t, scanner_device_t;
+class dir { getattr read search };
+class chr_file { getattr read write ioctl };
+')
+
+########################################
+#
+# devices_control_system_powermanagement(domain,[`optional'])
+#
+define(`devices_control_system_powermanagement',`
+requires_block_template(devices_control_system_powermanagement_depend,$2)
+allow $1 device_t:dir { getattr read search };
+allow $1 power_device_t:chr_file { getattr read write ioctl };
+')
+
+define(`devices_control_system_powermanagement_depend',`
+type device_t, power_device_t;
+class dir { getattr read search };
+class chr_file { getattr read write ioctl };
+')

refpolicy/policy/modules/kernel/devices.te

@@ -0,0 +1,101 @@
+#
+# Device types
+#
+
+attribute device_node;
+
+#
+# device_t is the type of /dev.
+#
+type device_t, device_node;
+filesystem_associate(device_t)
+
+# Only directories and symlinks should be labeled device_t.
+# If there are other files with this type, it is wrong.
+# Relabelto is allowed for setfiles to function, in case
+# a device node has no specific type yet, but is for some
+# reason labeled with a specific type
+neverallow * device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
+
+#
+# zero_device_t is the type of /dev/zero.
+#
+type zero_device_t, device_node;
+filesystem_associate(zero_device_t)
+
+#
+# null_device_t is the type of /dev/null.
+#
+type null_device_t, device_node;
+filesystem_associate(null_device_t)
+
+#
+# memory_device_t is the type of /dev/kmem,
+# /dev/mem and /dev/port.
+#
+type memory_device_t, device_node;
+filesystem_associate(memory_device_t)
+
+attribute memory_raw_read;
+attribute memory_raw_write;
+neverallow ~memory_raw_read memory_device_t:{ chr_file blk_file } read;
+neverallow ~memory_raw_write memory_device_t:{ chr_file blk_file } { append write };
+
+#
+# random_device_t is the type of /dev/random
+# urandom_device_t is the type of /dev/urandom
+#
+type random_device_t, device_node;
+type urandom_device_t, device_node;
+filesystem_associate(random_device_t)
+filesystem_associate(urandom_device_t)
+
+#
+# Type for /dev/agpgart
+#
+type agp_device_t, device_node;
+filesystem_associate(agp_device_t)
+
+#
+# Type for /dev/apm_bios
+#
+type apm_bios_t, device_node;
+filesystem_associate(apm_bios_t)
+
+#
+# clock_device_t is the type of
+# /dev/rtc.
+#
+type clock_device_t, device_node;
+filesystem_associate(clock_device_t)
+
+#
+# cpu control devices /dev/cpu/0/*
+#
+type cpu_device_t, device_node;
+filesystem_associate(cpu_device_t)
+
+#
+# Type for framebuffer /dev/fb/*
+#
+type framebuf_device_t, device_node;
+filesystem_associate(framebuf_device_t)
+
+#
+# Type for /dev/cpu/mtrr and /proc/mtrr
+#
+type mtrr_device_t, device_node;
+filesystem_associate(mtrr_device_t)
+genfscon proc /mtrr system_u:object_r:mtrr_device_t
+
+#
+# Type for /dev/pmu 
+#
+type power_device_t, device_node;
+filesystem_associate(power_device_t)
+
+#
+# Type for sound devices and mixers
+#
+type sound_device_t, device_node;
+filesystem_associate(sound_device_t)

refpolicy/policy/modules/kernel/filesystem.if

@@ -0,0 +1,733 @@
+########################################
+#
+# filesystem_make_filesystem(type,[`optional'])
+#
+define(`filesystem_make_filesystem',`
+requires_block_template(filesystem_make_filesystem_depend,$2)
+typeattribute $1 fs_type;
+')
+
+define(`filesystem_make_filesystem_depend',`
+attribute fs_type;
+')
+
+########################################
+#
+# filesystem_mount_persistent_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_persistent_filesystem',`
+requires_block_template(filesystem_mount_persistent_filesystem_depend,$2)
+allow $1 fs_t:filesystem mount;
+')
+
+define(`filesystem_mount_persistent_filesystem_depend',`
+type fs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_persistent_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_persistent_filesystem',`
+requires_block_template(filesystem_remount_persistent_filesystem_depend,$2)
+allow $1 fs_t:filesystem remount;
+')
+
+define(`filesystem_remount_persistent_filesystem_depend',`
+type fs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_persistent_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_persistent_filesystem',`
+requires_block_template(filesystem_unmount_persistent_filesystem_depend,$2)
+allow $1 fs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_persistent_filesystem_depend',`
+type fs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_persistent_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_persistent_filesystem_stats',`
+requires_block_template(filesystem_read_persistent_filesystem_stats_depend,$2)
+allow $1 fs_t:filesystem getattr;
+')
+
+define(`filesystem_read_persistent_filesystem_stats_depend',`
+type fs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_associate(type,[`optional'])
+#
+define(`filesystem_associate',`
+requires_block_template(filesystem_associate_depend,$2)
+allow $1 fs_t:filesystem associate;
+')
+
+define(`filesystem_associate_depend',`
+type fs_t;
+class filesystem associate;
+')
+
+########################################
+#
+# filesystem_mount_automount_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_automount_filesystem',`
+requires_block_template(filesystem_mount_automount_filesystem_depend,$2)
+allow $1 autofs_t:filesystem mount;
+')
+
+define(`filesystem_mount_automount_filesystem_depend',`
+type autofs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_automount_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_automount_filesystem',`
+requires_block_template(filesystem_remount_automount_filesystem_depend,$2)
+allow $1 autofs_t:filesystem remount;
+')
+
+define(`filesystem_remount_automount_filesystem_depend',`
+type autofs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_automount_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_automount_filesystem',`
+requires_block_template(filesystem_unmount_automount_filesystem_depend,$2)
+allow $1 autofs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_automount_filesystem_depend',`
+type autofs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_automount_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_automount_filesystem_stats',`
+requires_block_template(filesystem_read_automount_filesystem_stats_depend,$2)
+allow $1 autofs_t:filesystem getattr;
+')
+
+define(`filesystem_read_automount_filesystem_stats_depend',`
+type autofs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_register_binary_executable_type(domain,[`optional'])
+#
+define(`filesystem_register_binary_executable_type',`
+requires_block_template(filesystem_register_binary_executable_type_depend,$2)
+allow $1 binfmt_misc_fs_t:dir { getattr search };
+allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
+')
+
+define(`filesystem_register_binary_executable_type_depend',`
+type binfmt_misc_fs_t;
+class dir { getattr search };
+class file { getattr ioctl write };
+')
+
+########################################
+#
+# filesystem_mount_windows_network_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_windows_network_filesystem',`
+requires_block_template(filesystem_mount_windows_network_filesystem_depend,$2)
+allow $1 cifs_t:filesystem mount;
+')
+
+define(`filesystem_mount_windows_network_filesystem_depend',`
+type cifs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_windows_network_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_windows_network_filesystem',`
+requires_block_template(filesystem_remount_windows_network_filesystem_depend,$2)
+allow $1 cifs_t:filesystem remount;
+')
+
+define(`filesystem_remount_windows_network_filesystem_depend',`
+type cifs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_windows_network_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_windows_network_filesystem',`
+requires_block_template(filesystem_unmount_windows_network_filesystem_depend,$2)
+allow $1 cifs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_windows_network_filesystem_depend',`
+type cifs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_windows_network_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_windows_network_filesystem_stats',`
+requires_block_template(filesystem_read_windows_network_filesystem_stats_depend,$2)
+allow $1 cifs_t:filesystem getattr;
+')
+
+define(`filesystem_read_windows_network_filesystem_stats_depend',`
+type cifs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_mount_dos_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_dos_filesystem',`
+requires_block_template(filesystem_mount_dos_filesystem_depend,$2)
+allow $1 dosfs_t:filesystem mount;
+')
+
+define(`filesystem_mount_dos_filesystem_depend',`
+type dosfs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_dos_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_dos_filesystem',`
+requires_block_template(filesystem_remount_dos_filesystem_depend,$2)
+allow $1 dosfs_t:filesystem remount;
+')
+
+define(`filesystem_remount_dos_filesystem_depend',`
+type dosfs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_dos_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_dos_filesystem',`
+requires_block_template(filesystem_unmount_dos_filesystem_depend,$2)
+allow $1 dosfs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_dos_filesystem_depend',`
+type dosfs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_dos_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_dos_filesystem_stats',`
+requires_block_template(filesystem_read_dos_filesystem_stats_depend,$2)
+allow $1 dosfs_t:filesystem getattr;
+')
+
+define(`filesystem_read_dos_filesystem_stats_depend',`
+type dosfs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_mount_cd_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_cd_filesystem',`
+requires_block_template(filesystem_mount_cd_filesystem_depend,$2)
+allow $1 iso9660_t:filesystem mount;
+')
+
+define(`filesystem_mount_cd_filesystem_depend',`
+type iso9660_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_cd_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_cd_filesystem',`
+requires_block_template(filesystem_remount_cd_filesystem_depend,$2)
+allow $1 iso9660_t:filesystem remount;
+')
+
+define(`filesystem_remount_cd_filesystem_depend',`
+type iso9660_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_cd_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_cd_filesystem',`
+requires_block_template(filesystem_unmount_cd_filesystem_depend,$2)
+allow $1 iso9660_t:filesystem mount;
+')
+
+define(`filesystem_unmount_cd_filesystem_depend',`
+type iso9660_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_cd_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_cd_filesystem_stats',`
+requires_block_template(filesystem_read_cd_filesystem_stats_depend,$2)
+allow $1 iso9660_t:filesystem getattr;
+')
+
+define(`filesystem_read_cd_filesystem_stats_depend',`
+type iso9660_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_mount_nfs_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_nfs_filesystem',`
+requires_block_template(filesystem_mount_nfs_filesystem_depend,$2)
+allow $1 nfs_t:filesystem mount;
+')
+
+define(`filesystem_mount_nfs_filesystem_depend',`
+type nfs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_nfs_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_nfs_filesystem',`
+requires_block_template(filesystem_remount_nfs_filesystem_depend,$2)
+allow $1 nfs_t:filesystem remount;
+')
+
+define(`filesystem_remount_nfs_filesystem_depend',`
+type nfs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_nfs_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_nfs_filesystem',`
+requires_block_template(filesystem_unmount_nfs_filesystem_depend,$2)
+allow $1 nfs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_nfs_filesystem_depend',`
+type nfs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_nfs_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_nfs_filesystem_stats',`
+requires_block_template(filesystem_read_nfs_filesystem_stats_depend,$2)
+allow $1 nfs_t:filesystem getattr;
+')
+
+define(`filesystem_read_nfs_filesystem_stats_depend',`
+type nfs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_mount_nfsd_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_nfsd_filesystem',`
+requires_block_template(filesystem_mount_nfsd_filesystem_depend,$2)
+allow $1 nfsd_fs_t:filesystem mount;
+')
+
+define(`filesystem_mount_nfsd_filesystem_depend',`
+type nfsd_fs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_nfsd_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_nfsd_filesystem',`
+requires_block_template(filesystem_remount_nfsd_filesystem_depend,$2)
+allow $1 nfsd_fs_t:filesystem remount;
+')
+
+define(`filesystem_remount_nfsd_filesystem_depend',`
+type nfsd_fs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_nfsd_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_nfsd_filesystem',`
+requires_block_template(filesystem_unmount_nfsd_filesystem_depend,$2)
+allow $1 nfsd_fs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_nfsd_filesystem_depend',`
+type nfsd_fs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_nfsd_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_nfsd_filesystem_stats',`
+requires_block_template(filesystem_read_nfsd_filesystem_stats_depend,$2)
+allow $1 nfsd_fs_t:filesystem getattr;
+')
+
+define(`filesystem_read_nfsd_filesystem_stats_depend',`
+type nfsd_fs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_mount_ram_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_ram_filesystem',`
+requires_block_template(filesystem_mount_ram_filesystem_depend,$2)
+allow $1 ramfs_t:filesystem mount;
+')
+
+define(`filesystem_mount_ram_filesystem_depend',`
+type ramfs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_ram_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_ram_filesystem',`
+requires_block_template(filesystem_remount_ram_filesystem_depend,$2)
+allow $1 ramfs_t:filesystem remount;
+')
+
+define(`filesystem_remount_ram_filesystem_depend',`
+type ramfs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_ram_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_ram_filesystem',`
+requires_block_template(filesystem_unmount_ram_filesystem_depend,$2)
+allow $1 ramfs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_ram_filesystem_depend',`
+type ramfs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_ram_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_ram_filesystem_stats',`
+requires_block_template(filesystem_read_ram_filesystem_stats_depend,$2)
+allow $1 ramfs_t:filesystem getattr;
+')
+
+define(`filesystem_read_ram_filesystem_stats_depend',`
+type ramfs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_mount_rom_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_rom_filesystem',`
+requires_block_template(filesystem_mount_rom_filesystem_depend,$2)
+allow $1 romfs_t:filesystem mount;
+')
+
+define(`filesystem_mount_rom_filesystem_depend',`
+type romfs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_rom_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_rom_filesystem',`
+requires_block_template(filesystem_remount_rom_filesystem_depend,$2)
+allow $1 romfs_t:filesystem remount;
+')
+
+define(`filesystem_remount_rom_filesystem_depend',`
+type romfs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_rom_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_rom_filesystem',`
+requires_block_template(filesystem_unmount_rom_filesystem_depend,$2)
+allow $1 romfs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_rom_filesystem_depend',`
+type romfs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_rom_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_rom_filesystem_stats',`
+requires_block_template(filesystem_read_rom_filesystem_stats_depend,$2)
+allow $1 romfs_t:filesystem getattr;
+')
+
+define(`filesystem_read_rom_filesystem_stats_depend',`
+type romfs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_mount_rpc_pipefs_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_rpc_pipefs_filesystem',`
+requires_block_template(filesystem_mount_rpc_pipefs_filesystem_depend,$2)
+allow $1 rpc_pipefs_t:filesystem mount;
+')
+
+define(`filesystem_mount_rpc_pipefs_filesystem_depend',`
+type rpc_pipefs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_rpc_pipefs_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_rpc_pipefs_filesystem',`
+requires_block_template(filesystem_remount_rpc_pipefs_filesystem_depend,$2)
+allow $1 rpc_pipefs_t:filesystem remount;
+')
+
+define(`filesystem_remount_rpc_pipefs_filesystem_depend',`
+type rpc_pipefs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_rpc_pipefs_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_rpc_pipefs_filesystem',`
+requires_block_template(filesystem_unmount_rpc_pipefs_filesystem_depend,$2)
+allow $1 rpc_pipefs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_rpc_pipefs_filesystem_depend',`
+type rpc_pipefs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_rpc_pipefs_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_rpc_pipefs_filesystem_stats',`
+requires_block_template(filesystem_read_rpc_pipefs_filesystem_stats_depend,$2)
+allow $1 rpc_pipefs_t:filesystem getattr;
+')
+
+define(`filesystem_read_rpc_pipefs_filesystem_stats_depend',`
+type rpc_pipefs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_mount_tmpfs_filesystem(domain,[`optional'])
+#
+define(`filesystem_mount_tmpfs_filesystem',`
+requires_block_template(filesystem_mount_tmpfs_filesystem_depend,$2)
+allow $1 tmpfs_t:filesystem mount;
+')
+
+define(`filesystem_mount_tmpfs_filesystem_depend',`
+type tmpfs_t;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_tmpfs_filesystem(domain,[`optional'])
+#
+define(`filesystem_remount_tmpfs_filesystem',`
+requires_block_template(filesystem_remount_tmpfs_filesystem_depend,$2)
+allow $1 tmpfs_t:filesystem remount;
+')
+
+define(`filesystem_remount_tmpfs_filesystem_depend',`
+type tmpfs_t;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_tmpfs_filesystem(domain,[`optional'])
+#
+define(`filesystem_unmount_tmpfs_filesystem',`
+requires_block_template(filesystem_unmount_tmpfs_filesystem_depend,$2)
+allow $1 tmpfs_t:filesystem mount;
+')
+
+define(`filesystem_unmount_tmpfs_filesystem_depend',`
+type tmpfs_t;
+class filesystem unmount;
+')
+
+########################################
+#
+# filesystem_read_tmpfs_filesystem_stats(domain,[`optional'])
+#
+define(`filesystem_read_tmpfs_filesystem_stats',`
+requires_block_template(filesystem_read_tmpfs_filesystem_stats_depend,$2)
+allow $1 tmpfs_t:filesystem getattr;
+')
+
+define(`filesystem_read_tmpfs_filesystem_stats_depend',`
+type tmpfs_t;
+class filesystem getattr;
+')
+
+########################################
+#
+# filesystem_tmpfs_associate(type,[`optional'])
+#
+define(`filesystem_tmpfs_associate',`
+requires_block_template(filesystem_tmpfs_associate_depend,$2)
+allow $1 tmpfs_t:filesystem associate;
+')
+
+define(`filesystem_tmpfs_associate_depend',`
+type tmpfs_t;
+class filesystem associate;
+')
+
+########################################
+#
+# filesystem_create_private_tmpfs_data(domain,derivedtype,[class],[`optional'])
+#
+define(`filesystem_create_private_tmpfs_data',`
+requires_block_template(filesystem_create_private_tmpfs_data_depend,$4)
+allow $1 tmpfs_t:dir { getattr search read write add_name };
+ifelse(`$3',`',`
+type_transition $1 tmpfs_t:file $2;
+',`
+type_transition $1 tmpfs_t:$3 $2;
+')
+')
+
+define(`filesystem_create_private_tmpfs_data_depend',`
+type tmpfs_t;
+class dir { getattr search read write add_name }; 
+')
+
+########################################
+#
+# filesystem_mount_all_filesystems(type,[`optional'])
+#
+define(`filesystem_mount_all_filesystems',`
+requires_block_template(filesystem_mount_all_filesystems_depend,$2)
+allow $1 fs_type:filesystem mount;
+')
+
+define(`filesystem_mount_all_filesystems_depend',`
+attribute fs_type;
+class filesystem mount;
+')
+
+########################################
+#
+# filesystem_remount_all_filesystems(type,[`optional'])
+#
+define(`filesystem_remount_all_filesystems',`
+requires_block_template(filesystem_remount_all_filesystems_depend,$2)
+allow $1 fs_type:filesystem remount;
+')
+
+define(`filesystem_remount_all_filesystems_depend',`
+attribute fs_type;
+class filesystem remount;
+')
+
+########################################
+#
+# filesystem_unmount_all_filesystems(type,[`optional'])
+#
+define(`filesystem_unmount_all_filesystems',`
+requires_block_template(filesystem_unmount_all_filesystems_depend,$2)
+allow $1 fs_type:filesystem unmount;
+')
+
+define(`filesystem_mount_all_filesystems_depend',`
+attribute fs_type;
+class filesystem unmount;
+')

refpolicy/policy/modules/kernel/filesystem.te

@@ -0,0 +1,93 @@
+attribute fs_type;
+
+########################################
+#
+# fs_t is the default type for persistent
+# filesystems with extended attributes
+#
+type fs_t, fs_type;
+
+########################################
+#
+# Non-persistent/pseudo filesystems
+#
+type bdev_t, fs_type;
+genfscon bdev / system_u:object_r:bdev_t
+
+type binfmt_misc_fs_t, fs_type;
+genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t
+
+type eventpollfs_t, fs_type;
+genfscon eventpollfs / system_u:object_r:eventpollfs_t
+
+type futexfs_t, fs_type;
+genfscon futexfs / system_u:object_r:futexfs_t
+
+type nfsd_fs_t, fs_type;
+genfscon nfsd / system_u:object_r:nfsd_fs_t
+
+type ramfs_t, fs_type;
+allow ramfs_t self:filesystem associate;
+genfscon ramfs / system_u:object_r:ramfs_t
+
+type romfs_t, fs_type;
+allow romfs_t self:filesystem associate;
+genfscon romfs / system_u:object_r:romfs_t
+genfscon cramfs / system_u:object_r:romfs_t
+
+type rpc_pipefs_t, fs_type;
+genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t
+
+#
+# tmpfs_t is the type for tmpfs filesystems
+#
+type tmpfs_t, fs_type;
+allow tmpfs_t self:filesystem associate;
+
+########################################
+#
+# Filesystems without extended attribute support
+#
+type autofs_t, fs_type;
+allow autofs_t self:filesystem associate;
+genfscon autofs / system_u:object_r:autofs_t
+genfscon automount / system_u:object_r:autofs_t
+
+#
+# cifs_t is the type for filesystems and their
+# files shared from Windows servers
+#
+type cifs_t alias sambafs_t, fs_type;
+allow cifs_t self:filesystem associate;
+genfscon cifs / system_u:object_r:cifs_t
+genfscon smbfs / system_u:object_r:cifs_t
+
+#
+# dosfs_t is the type for fat and vfat
+# filesystems and their files.
+#
+type dosfs_t, fs_type;
+allow dosfs_t self:filesystem associate;
+genfscon vfat / system_u:object_r:dosfs_t
+genfscon msdos / system_u:object_r:dosfs_t
+genfscon fat / system_u:object_r:dosfs_t
+genfscon ntfs / system_u:object_r:dosfs_t
+
+#
+# iso9660_t is the type for CD filesystems
+# and their files.
+#
+type iso9660_t, fs_type;
+allow iso9660_t self:filesystem associate;
+genfscon iso9660 / system_u:object_r:iso9660_t
+genfscon udf / system_u:object_r:iso9660_t
+
+#
+# nfs_t is the default type for NFS file systems
+# and their files.
+#
+type nfs_t, fs_type;
+allow nfs_t self:filesystem associate;
+genfscon nfs / system_u:object_r:nfs_t
+genfscon nfs4 / system_u:object_r:nfs_t
+genfscon afs / system_u:object_r:nfs_t

refpolicy/policy/modules/kernel/kernel.te

@@ -0,0 +1,148 @@
+########################################
+# kernel_t is the domain of kernel threads.
+# It is also the target type when checking permissions in the system class.
+# 
+type kernel_t;
+role system_r types kernel_t;
+
+domain_make_base_domain(kernel_t)
+
+terminal_use_console(kernel_t)
+domain_signal_all_domains(kernel_t)
+
+# Use capabilities. need to investigate which capabilities are actually used
+#allow kernel_t self:capability *;
+
+# Mount root file system.  Used when loading a policy
+# from initrd, then mounting the root filesystem
+filesystem_mount_all_filesystems(kernel_t)
+
+# Other possible mount points for the root fs are in sysfiles
+allow kernel_t unlabeled_t:dir mounton;
+
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+#can_exec(kernel_t, bin_t.sys)
+
+# Kernel-generated traffic, e.g. ICMP replies.
+corenetwork_send_raw_on_all_interfaces(kernel_t)
+corenetwork_receive_raw_on_all_interfaces(kernel_t)
+
+# Kernel-generated traffic, e.g. TCP resets.
+corenetwork_send_tcp_on_all_interfaces(kernel_t)
+corenetwork_receive_tcp_on_all_interfaces(kernel_t)
+
+########################################
+#
+# unlabeled_t is the type of unlabeled objects.
+# Objects that have no known labeling information or that
+# have labels that are no longer valid are treated as having this type.
+#
+type unlabeled_t;
+
+############################################
+# 
+# security_t is the target type when checking
+# the permissions in the security class.  It is also
+# applied to selinuxfs inodes.
+#
+type security_t;
+genfscon selinuxfs / system_u:object_r:security_t
+
+attribute can_load_policy;
+attribute can_setenforce;
+attribute can_setsecparam;
+neverallow ~can_load_policy security_t:security load_policy;
+neverallow ~can_setenforce security_t:security setenforce;
+neverallow ~can_setsecparam security_t:security setsecparam;
+
+########################################
+#
+# sysfs_t is the type for /sys
+#
+type sysfs_t;
+filesystem_make_filesystem(sysfs_t)
+genfscon sysfs / system_u:object_r:sysfs_t
+
+########################################
+#
+# usbfs_t is the type for /proc/bus/usb
+#
+type usbfs_t alias usbdevfs_t;
+filesystem_make_filesystem(usbfs_t)
+genfscon usbfs / system_u:object_r:usbfs_t
+genfscon usbdevfs / system_u:object_r:usbfs_t
+
+############################################
+#
+# Procfs types
+#
+
+type proc_t;
+genfscon proc / system_u:object_r:proc_t
+genfscon proc /sysvipc system_u:object_r:proc_t
+
+# kernel message interface
+type proc_kmsg_t;
+genfscon proc /kmsg system_u:object_r:proc_kmsg_t
+attribute can_receive_kernel_messages;
+neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
+
+# /proc kcore: inaccessible
+type proc_kcore_t;
+neverallow * proc_kcore_t:file ~getattr;
+genfscon proc /kcore system_u:object_r:proc_kcore_t
+
+type proc_mdstat_t;
+genfscon proc /mdstat system_u:object_r:proc_mdstat_t
+
+type proc_net_t;
+genfscon proc /net system_u:object_r:proc_net_t
+
+############################################
+#
+# Sysctl types
+#
+
+# /proc/irq directory and files
+type sysctl_irq_t;
+genfscon proc /irq system_u:object_r:sysctl_irq_t
+
+# /proc/net/rpc directory and files
+type sysctl_rpc_t;
+genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t
+
+# /proc/sys directory, base directory of sysctls
+type sysctl_t;
+genfscon proc /sys system_u:object_r:sysctl_t
+
+# /proc/sys/fs directory and files
+type sysctl_fs_t;
+genfscon proc /sys/fs system_u:object_r:sysctl_fs_t
+
+# /proc/sys/kernel directory and files
+type sysctl_kernel_t;
+genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t
+
+# /proc/sys/kernel/modprobe file
+type sysctl_modprobe_t;
+genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t
+
+# /proc/sys/kernel/hotplug file
+type sysctl_hotplug_t;
+genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t
+
+# /proc/sys/net directory and files
+type sysctl_net_t;
+genfscon proc /sys/net system_u:object_r:sysctl_net_t
+
+# /proc/sys/net/unix directory and files
+type sysctl_net_unix_t;
+genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t
+
+# /proc/sys/vm directory and files
+type sysctl_vm_t;
+genfscon proc /sys/vm system_u:object_r:sysctl_vm_t
+
+# /proc/sys/dev directory and files
+type sysctl_dev_t;
+genfscon proc /sys/dev system_u:object_r:sysctl_dev_t

refpolicy/policy/modules/kernel/storage.if

@@ -0,0 +1,135 @@
+########################################
+#
+# storage_raw_read_fixed_disk(domain,[`optional'])
+#
+define(`storage_raw_read_fixed_disk',`
+requires_block_template(storage_raw_read_fixed_disk_depend,$2)
+typeattribute $1 fixed_disk_raw_read;
+devices_list_device_nodes($1,optional)
+allow $1 fixed_disk_device_t:blk_file { getattr read ioctl };
+')
+
+define(`storage_raw_read_fixed_disk_depend',`
+type fixed_disk_device_t;
+attribute fixed_disk_raw_read;
+class blk_file { getattr read ioctl };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# storage_raw_write_fixed_disk(domain,[`optional'])
+#
+define(`storage_raw_write_fixed_disk',`
+requires_block_template(storage_raw_write_fixed_disk_depend,$2)
+typeattribute $1 fixed_disk_raw_write;
+devices_list_device_nodes($1,optional)
+allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
+')
+
+define(`storage_raw_write_fixed_disk_depend',`
+type fixed_disk_device_t;
+attribute fixed_disk_raw_write;
+class blk_file { getattr write ioctl };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# storage_read_scsi_generic(domain,[`optional'])
+#
+define(`storage_read_scsi_generic',`
+requires_block_template(storage_read_scsi_generic_depend,$2)
+typeattribute $1 scsi_generic_read;
+devices_list_device_nodes($1,optional)
+allow $1 scsi_generic_device_t:blk_file { getattr read ioctl };
+')
+
+define(`storage_read_scsi_generic_depend',`
+type scsi_generic_device_t;
+attribute scsi_generic_read;
+class blk_file { getattr read ioctl };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# storage_write_scsi_generic(domain,[`optional'])
+#
+define(`storage_write_scsi_generic',`
+requires_block_template(storage_write_scsi_generic_depend,$2)
+typeattribute $1 scsi_generic_write;
+devices_list_device_nodes($1,optional)
+allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
+')
+
+define(`storage_write_scsi_generic_depend',`
+type scsi_generic_device_t;
+attribute scsi_generic_write;
+class blk_file { getattr write ioctl };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# storage_raw_read_removable_device(domain,[`optional'])
+#
+define(`storage_raw_read_removable_device',`
+requires_block_template(storage_raw_read_removable_device_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 removable_device_t:blk_file { getattr read ioctl };
+')
+
+define(`storage_raw_read_removable_device_depend',`
+type removable_device_t;
+class blk_file { getattr read ioctl };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# storage_raw_write_removable_device(domain,[`optional'])
+#
+define(`storage_raw_write_removable_device',`
+requires_block_template(storage_raw_write_removable_device_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 removable_device_t:blk_file { getattr write ioctl };
+')
+
+define(`storage_raw_write_removable_device_depend',`
+type removable_device_t;
+class blk_file { getattr write ioctl };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# storage_read_tape_device(domain,[`optional'])
+#
+define(`storage_read_tape_device',`
+requires_block_template(storage_read_tape_device_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 tape_device_t:blk_file { getattr read ioctl };
+')
+
+define(`storage_read_tape_device_depend',`
+type tape_device_t;
+class blk_file { getattr read ioctl };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# storage_write_tape_device(domain,[`optional'])
+#
+define(`storage_write_tape_device',`
+requires_block_template(storage_write_tape_device_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 tape_device_t:blk_file { getattr write ioctl };
+')
+
+define(`storage_write_tape_device_depend',`
+type tape_device_t;
+class blk_file { getattr write ioctl };
+devices_list_device_nodes_depend
+')

refpolicy/policy/modules/kernel/storage.te

@@ -0,0 +1,38 @@
+#
+# fixed_disk_device_t is the type of 
+# /dev/hd* and /dev/sd*.
+#
+type fixed_disk_device_t;
+
+attribute fixed_disk_raw_read;
+attribute fixed_disk_raw_write;
+neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
+neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
+devices_make_device_node(fixed_disk_device_t)
+
+#
+# scsi_generic_device_t is the type of /dev/sg*
+# it gives access to ALL SCSI devices (both fixed and removable)
+#
+type scsi_generic_device_t;
+
+attribute scsi_generic_read;
+attribute scsi_generic_write;
+neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
+neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };
+devices_make_device_node(scsi_generic_device_t)
+
+#
+# removable_device_t is the type of
+# /dev/scd* and /dev/fd*.
+#
+type removable_device_t;
+
+devices_make_device_node(removable_device_t)
+
+#
+# tape_device_t is the type of
+#
+type tape_device_t;
+
+devices_make_device_node(tape_device_t)

refpolicy/policy/modules/kernel/terminal.if

@@ -0,0 +1,107 @@
+########################################
+#
+# terminal_use_console(domain,[`optional'])
+#
+define(`terminal_use_console',`
+requires_block_template(terminal_use_console_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 console_device_t:chr_file { read write };
+')
+
+define(`terminal_use_console_depend',`
+type console_device_t;
+class chr_file { read write };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# terminal_use_controlling_terminal(domain,[`optional'])
+#
+define(`terminal_use_controlling_terminal',`
+requires_block_template(terminal_use_controlling_terminal_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 devtty_t:chr_file { read write };
+')
+
+define(`terminal_use_controlling_terminal_depend',`
+type devtty_t;
+class chr_file { read write };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# terminal_make_pty(domain,ptytype,[`optional'])
+#
+define(`terminal_make_pty',`
+requires_block_template(terminal_make_pty_depend,$3)
+devices_list_device_nodes($1,optional)
+allow $1 ptmx_t:chr_file { getattr read write };
+allow $1 devpts_t:dir { getattr search read };
+allow $1 devpts_t:filesystem getattr;
+allow $2 devpts_t:filesystem associate;
+type_transition $1 devpts_t:chr_file $2;
+typeattribute $2 ptynode;
+')
+
+define(`terminal_make_pty_depend',`
+attribute ptynode;
+type ptmx_t, devpts_t;
+class filesystem { getattr associate };
+class dir { getattr search read };
+class chr_file { getattr read write };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# terminal_use_all_terminals(domain,[`optional'])
+#
+define(`terminal_use_all_terminals',`
+requires_block_template(terminal_use_all_terminals_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 devpts_t:dir { getattr read search };
+allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write };
+')
+
+define(`terminal_use_all_terminals_depend',`
+attribute ttynode, ptynode;
+type console_device_t, devtty_t, devpts_t;
+class chr_file { read write };
+devices_list_device_nodes_depend
+')
+
+########################################
+#
+# terminal_reset_labels(domain,[`optional'])
+#
+define(`terminal_reset_labels',`
+requires_block_template(terminal_reset_labels_depend,$2)
+devices_list_device_nodes($1,optional)
+kernel_relabeling_privilege($1,optional)
+allow $1 ttynode:chr_file relabelfrom;
+allow $1 tty_device_t:chr_file relabelto;
+')
+
+define(`terminal_reset_labels_depend',`
+attribute ttynode;
+type tty_device_t;
+class chr_file { relabelfrom relabelto };
+devices_list_device_nodes_depend
+kernel_relabeling_privilege_depend
+')
+
+########################################
+#
+# terminal_ignore_list_ptys(domain,[`optional'])
+#
+define(`terminal_ignore_list_ptys',`
+requires_block_template(terminal_ignore_list_ptys_depend,$2)
+allow $1 console_device_t:chr_file { read write };
+')
+
+define(`terminal_ignore_list_ptys_depend',`
+type devpts_t;
+class dir { getattr search read };
+')

refpolicy/policy/modules/kernel/terminal.te

@@ -0,0 +1,41 @@
+attribute ttynode;
+attribute ptynode;
+
+#
+# console_device_t is the type of /dev/console.
+#
+type console_device_t;
+
+devices_make_device_node(console_device_t)
+
+#
+# devtty_t is the type of /dev/tty.
+#
+type devtty_t;
+
+devices_make_device_node(devtty_t)
+
+#
+# tty_device_t is the type of /dev/*tty*
+#
+type tty_device_t, ttynode;
+
+devices_make_device_node(tty_device_t)
+
+#
+# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
+type bsdpty_device_t, ptynode;
+
+devices_make_device_node(bsdpty_device_t)
+
+
+# ptmx_t is the type for /dev/ptmx.
+type ptmx_t;
+
+devices_make_device_node(ptmx_t)
+
+#
+# devpts_t is the type of the devpts file system and 
+# the type of the root directory of the file system.
+#
+type devpts_t;

refpolicy/policy/modules/system/authlogin.if

@@ -0,0 +1,27 @@
+#######################################
+#
+# authlogin_modify_login_records(type,[`optional'])
+#
+define(`authlogin_modify_login_records',`
+requires_block_template(authlogin_modify_login_records_depend,$2)
+allow $1 wtmp_t:file { getattr read write setattr };
+')
+
+define(`authlogin_modify_login_records_depend',`
+type wtmp_t;
+class file { getattr read write setattr };
+')
+
+#######################################
+#
+# authlogin_modify_last_login_log(type,[`optional'])
+#
+define(`authlogin_modify_last_login_log',`
+requires_block_template(authlogin_modify_last_login_log_depend,$2)
+allow $1 lastlog_t:file { getattr read write setattr };
+')
+
+define(`authlogin_modify_last_login_log_depend',`
+type lastlog_t;
+class file { getattr read write setattr };
+')

refpolicy/policy/modules/system/authlogin.te

@@ -0,0 +1,5 @@
+type lastlog_t;
+logging_make_log_file(lastlog_t)
+
+type wtmp_t;
+logging_make_log_file(wtmp_t)

refpolicy/policy/modules/system/corecommands.if

@@ -0,0 +1,70 @@
+########################################
+#
+# corecommands_execute_general_programs(domain,[`optional']
+#
+define(`corecommands_execute_general_programs',`
+requires_block_template(corecommands_execute_general_programs_depend,$2)
+allow $1 bin_t:dir { getattr search read };
+allow $1 bin_t:lnk_file { getattr read };
+allow $1 bin_t:file { getattr read execute execute_no_trans };
+')
+
+define(`corecommands_execute_general_programs_depend',`
+type bin_t;
+class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')
+
+########################################
+#
+# corecommands_execute_system_programs(domain,[`optional']
+#
+define(`corecommands_execute_system_programs',`
+requires_block_template(corecommands_execute_system_programs_depend,$2)
+allow $1 sbin_t:dir { getattr search read };
+allow $1 sbin_t:lnk_file { getattr read };
+allow $1 sbin_t:file { getattr read execute execute_no_trans };
+')
+
+define(`corecommands_execute_system_programs_depend',`
+type sbin_t;
+class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')
+
+########################################
+#
+# corecommands_execute_shell(domain,[`optional']
+#
+define(`corecommands_execute_shell',`
+requires_block_template(corecommands_execute_shell_depend,$2)
+allow $1 bin_t:dir { getattr search read };
+allow $1 bin_t:lnk_file { getattr read };
+allow $1 shell_exec_t:file { getattr read execute execute_no_trans };
+')
+
+define(`corecommands_execute_shell_depend',`
+type bin_t, shell_exec_t;
+class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')
+
+########################################
+#
+# corecommands_chroot(domain,[`optional']
+#
+define(`corecommands_chroot',`
+requires_block_template(corecommands_chroot_depend,$2)
+allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
+# could go to a generic chroot priv:
+allow $1 self:capability sys_chroot;
+')
+
+define(`corecommands_chroot_depend',`
+type chroot_exec_t;
+class file { getattr read execute execute_no_trans };
+class capability sys_chroot;
+')

refpolicy/policy/modules/system/corecommands.te

@@ -0,0 +1,27 @@
+#
+# bin_t is the type of files in the system bin directories.
+#
+type bin_t;
+files_make_file(bin_t)
+
+#
+# sbin_t is the type of files in the system sbin directories.
+#
+type sbin_t;
+files_make_file(sbin_t)
+kernel_read_directory_from(sbin_t)
+
+#
+# ls_exec_t is the type of the ls program.
+#
+#type ls_exec_t;
+typealias bin_t alias ls_exec_t;
+
+#
+# shell_exec_t is the type of user shells such as /bin/bash.
+#
+type shell_exec_t;
+files_make_file(sbin_t)
+
+type chroot_exec_t;
+files_make_file(chroot_exec_t)

refpolicy/policy/modules/system/domain.if

@@ -0,0 +1,108 @@
+########################################
+#
+# domain_make_base_domain(domain,[`optional'])
+#
+define(`domain_make_base_domain',`
+requires_block_template(domain_make_base_domain_depend,$2)
+
+# mark as a domain
+typeattribute $1 domain;
+
+# allow the domain to read its /proc/pid entries
+allow $1 self:dir { getattr search read };
+allow $1 self:{ file lnk_file } { getattr read };
+
+# allow $1 to create child processes in this domain
+allow $1 self:process { fork sigchld };
+')
+
+define(`domain_make_base_domain_depend',`
+attribute domain;
+class dir { getattr search read };
+class file { getattr read };
+class lnk_file { getattr read };
+')
+
+########################################
+#
+# domain_make_domain(domain,[`optional'])
+#
+define(`domain_make_domain',`
+requires_block_template(domain_make_domain_depend,$2)
+
+domain_make_base_domain($1,optional)
+
+files_read_root_dir($1,optional)
+init_sigchld($1,optional)
+')
+
+define(`domain_make_domain_depend',`
+domain_make_base_domain_depend
+files_read_root_dir_depend
+init_send_sigchld_depend
+')
+
+########################################
+#
+# domain_make_entrypoint_file(domain,entrypointfile,[`optional'])
+#
+define(`domain_make_entrypoint_file',`
+requires_block_template(domain_make_entrypoint_file_depend,$3)
+allow $1 $2:file entrypoint;
+neverallow $1 ~{ $2 }:file entrypoint;
+files_make_file($2,$3)
+')
+
+define(`domain_make_entrypoint_file_depend',`
+class file entrypoint;
+')
+
+########################################
+#
+# domain_signal_all_domains(domain,[`optional'])
+#
+define(`domain_signal_all_domains',`
+requires_block_template(domain_signal_all_domains_depend,$2)
+allow $1 domain:process signal;
+')
+
+define(`domain_signal_all_domains_depend',`
+attribute domain;
+class process signal;
+')
+
+########################################
+#
+# domain_kill_all_domains(domain,[`optional'])
+#
+define(`domain_kill_all_domains',`
+requires_block_template(domain_kill_all_domains_depend,$2)
+allow $1 domain:process sigkill;
+allow $1 self:capability kill;
+')
+
+define(`domain_kill_all_domains_depend',`
+attribute domain;
+class process sigkill;
+class capability kill;
+')
+
+########################################
+#
+# domain_read_all_domains_process_state(domain,[`optional'])
+#
+define(`domain_read_all_domains_process_state',`
+requires_block_template(domain_read_all_domains_process_state_depend,$2)
+allow $1 domain:dir { getattr search read };
+allow $1 domain:lnk_file { getattr read };
+allow $1 domain:file { getattr read };
+allow $1 domain:process { getattr getsession };
+')
+
+define(`domain_read_all_domains_process_state_depend',`
+attribute domain;
+class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read };
+class process { getattr getsession };
+')

refpolicy/policy/modules/system/domain.te

@@ -0,0 +1,4 @@
+# Mark process types as domains
+attribute domain;
+
+neverallow domain ~domain:process { transition dyntransition };

refpolicy/policy/modules/system/files.if

@@ -0,0 +1,412 @@
+########################################
+#
+# files_make_file(type,[`optional'])
+#
+define(`files_make_file',`
+requires_block_template(files_make_file_depend,$2)
+typeattribute $1 file_type;
+filesystem_associate($1,optional)
+')
+
+define(`files_make_file_depend',`
+attribute file_type;
+filesystem_associate_depend
+')
+
+########################################
+#
+# files_get_all_file_stats(type,[`optional'])
+#
+define(`files_get_all_file_stats',`
+requires_block_template(files_get_all_file_stats_depend,$2)
+allow $1 file_type:dir { search getattr };
+allow $1 file_type:file getattr;
+allow $1 file_type:lnk_file getattr;
+allow $1 file_type:fifo_file getattr;
+allow $1 file_type:sock_file getattr;
+')
+
+define(`files_get_all_file_stats_depend',`
+attribute file_type;
+class dir { search getattr };
+class file getattr;
+class lnk_file getattr;
+class fifo_file getattr;
+class sock_file getattr;
+')
+
+########################################
+#
+# files_read_root_dir(domain,[`optional'])
+#
+define(`files_read_root_dir',`
+requires_block_template(files_read_root_dir_depend,$2)
+allow $1 root_t:dir { getattr search read };
+allow $1 root_t:lnk_file { getattr read };
+')
+
+define(`files_read_root_dir_depend',`
+type root_t;
+class dir { getattr search read };
+class lnk_file { getattr read };
+')
+
+########################################
+#
+# files_create_root_dir_entry(domain,[`optional'])
+#
+define(`files_create_root_dir_entry',`
+requires_block_template(files_create_root_dir_entry_depend,$2)
+allow $1 root_t:dir { getattr search read write add_name };
+')
+
+define(`files_create_root_dir_entry_depend',`
+type root_t;
+class dir { getattr search read write add_name };
+')
+
+########################################
+#
+# files_create_private_root_dir_entry(domain,privatetype,[class(es)],[`optional'])
+#
+define(`files_create_private_root_dir_entry',`
+requires_block_template(files_create_private_root_dir_entry_depend,$2)
+allow $1 root_t:dir { getattr search read write add_name remove_name };
+ifelse(`$3',`',`
+type_transition $1 root_t:file $2;
+',`
+type_transition $1 root_t:$3 $2;
+') dnl end ifelse
+')
+
+define(`files_create_private_root_dir_entry_depend',`
+type root_t;
+class dir { getattr search read write add_name remove_name };
+')
+
+########################################
+#
+# files_remove_root_dir_entry(domain,[`optional'])
+#
+define(`files_remove_root_dir_entry',`
+requires_block_template(files_remove_root_dir_entry_depend,$2)
+allow $1 root_t:dir { getattr search read write remove_name };
+')
+
+define(`files_remove_root_dir_entry_depend',`
+type root_t;
+class dir { getattr search read write remove_name };
+')
+
+########################################
+#
+# files_read_general_system_config(type,[`optional'])
+#
+define(`files_read_general_system_config',`
+requires_block_template(files_read_general_system_config_depend,$2)
+allow $1 etc_t:dir { getattr search read };
+allow $1 etc_t:file { getattr read };
+allow $1 etc_t:lnk_file { getattr read };
+')
+
+define(`files_read_general_system_config_depend',`
+type etc_t;
+class dir { getattr search read };
+class file { getattr read };
+class lnk_file { getattr read };
+')
+
+########################################
+#
+# files_execute_system_config_script(domain,[`optional'])
+#
+define(`files_execute_system_config_script',`
+requires_block_template(files_execute_system_config_script_depend,$2)
+allow $1 etc_t:dir { getattr search read };
+allow $1 etc_t:lnk_file { getattr read };
+allow $1 etc_t:file { getattr read execute execute_no_trans };
+')
+
+define(`files_execute_system_config_script_depend',`
+type etc_t, etc_runtime_t;
+class dir { getattr search read };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')
+
+########################################
+#
+# files_create_boot_flag(type,[`optional'])
+#
+# /halt, /.autofsck, etc
+#
+define(`files_create_boot_flag',`
+requires_block_template(files_create_boot_flag_depend,$2)
+allow $1 root_t:dir { getattr search read write add_name remove_name };
+allow $1 etc_runtime_t:file { create read write setattr unlink };
+type_transition $1 root_t:file etc_runtime_t;
+')
+
+define(`files_create_boot_flag_depend',`
+type root_t, etc_runtime_t;
+class dir { getattr search read write add_name };
+class file { create read write setattr };
+')
+
+########################################
+#
+# files_create_runtime_system_config(type,[`optional'])
+#
+define(`files_create_runtime_system_config',`
+requires_block_template(files_create_runtime_system_config_depend,$2)
+allow $1 etc_t:dir { getattr search read write add_name remove_name };
+allow $1 etc_runtime_t:file { create read write setattr unlink };
+type_transition $1 etc_t:file etc_runtime_t;
+')
+
+define(`files_create_runtime_system_config_depend',`
+type etc_t, etc_runtime_t;
+class dir { getattr search read write add_name };
+class file { create read write setattr };
+')
+
+########################################
+#
+# files_read_runtime_system_config(domain,[`optional'])
+#
+define(`files_read_runtime_system_config',`
+requires_block_template(files_read_runtime_system_config_depend,$2)
+allow $1 etc_t:dir { getattr search read };
+allow $1 etc_runtime_t:file { getattr read };
+')
+
+define(`files_create_runtime_system_config_depend',`
+type etc_t, etc_runtime_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# files_create_private_config(domain,privatetype,[class(es)],[`optional'])
+#
+define(`files_create_private_config',`
+requires_block_template(files_create_private_config_depend,$4)
+allow $1 etc_t:dir { getattr search read write add_name remove_name };
+ifelse(`$3',`',`
+type_transition $1 etc_t:file $2;
+',`
+type_transition $1 etc_t:$3 $2;
+') dnl end ifelse
+')
+
+define(`files_create_private_config_depend',`
+type etc_t;
+class dir { getattr search read write add_name remove_name };
+')
+
+########################################
+#
+# files_read_general_shared_resources(domain,[`optional'])
+#
+define(`files_read_general_shared_resources',`
+requires_block_template(files_read_general_shared_resources_depend,$2)
+allow $1 usr_t:dir { getattr search read };
+allow $1 usr_t:{ file lnk_file } { getattr read };
+')
+
+define(`files_read_general_shared_resources_depend',`
+type usr_t;
+class dir { getattr search read };
+class file { getattr read };
+class lnk_file { getattr read };
+')
+
+########################################
+#
+# files_manage_pseudorandom_saved_seed(domain,[`optional'])
+#
+define(`files_manage_pseudorandom_saved_seed',`
+requires_block_template(files_manage_pseudorandom_saved_seed_depend,$2)
+allow $1 var_t:dir search;
+allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
+allow $1 var_lib_t:file { getattr create read write setattr unlink };
+')
+
+define(`files_manage_pseudorandom_saved_seed_depend',`
+type usr_t;
+class dir { getattr search read write add_name remove_name };
+class file { getattr create read write setattr unlink };
+')
+
+########################################
+#
+# files_create_daemon_runtime_data(domain,pidfile,[object class(es)],[`optional'])
+#
+define(`files_create_daemon_runtime_data',`
+requires_block_template(files_create_daemon_runtime_data_depend,$4)
+allow $1 var_t:dir search;
+allow $1 var_run_t:dir { getattr search read write add_name remove_name };
+ifelse(`$3',`',`
+type_transition $1 var_run_t:file $2;
+',`
+type_transition $1 var_run_t:$3 $2;
+') dnl end ifelse
+typeattribute $1 pidfile;
+')
+
+define(`files_create_daemon_runtime_data_depend',`
+attribute pidfile;
+type var_t, var_run_t;
+class dir { getattr search read write add_name remove_name };
+')
+
+########################################
+#
+# files_modify_system_runtime_data(domain,[`optional'])
+#
+define(`files_modify_system_runtime_data',`
+requires_block_template(files_modify_system_runtime_data_depend,$2)
+allow $1 var_t:dir search;
+allow $1 var_run_t:dir { getattr search read };
+allow $1 var_run_t:file { getattr read write };
+')
+
+define(`files_modify_system_runtime_data_depend',`
+type var_t, var_run_t;
+class dir { getattr search read };
+class file { getattr read write };
+')
+
+########################################
+#
+# files_remove_all_daemon_runtime_data(domain,[`optional'])
+#
+define(`files_remove_all_daemon_runtime_data',`
+requires_block_template(files_remove_all_daemon_runtime_data_depend,$2)
+allow $1 var_t:dir search;
+allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
+allow $1 var_run_t:dir rmdir;
+allow $1 pidfile:dir { getattr search read write add_name remove_name };
+allow $1 pidfile:file { getattr unlink };
+allow $1 pidfile:sock_file { getattr unlink };
+')
+
+define(`files_remove_all_daemon_runtime_data_depend',`
+attribute pidfile;
+type var_t, var_run_t;
+class dir { getattr search read write add_name remove_name rmdir };
+class file { getattr unlink };
+class lnk_file { getattr unlink };
+class sock_file { getattr unlink };
+')
+
+########################################
+#
+# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional'])
+#
+define(`files_create_private_tmp_data',`
+requires_block_template(files_create_private_tmp_data_depend,$2)
+allow $1 tmp_t:dir { getattr search read write add_name remove_name };
+ifelse(`$3',`',`
+type_transition $1 tmp_t:file $2;
+',`
+type_transition $1 tmp_t:$3 $2;
+')
+typeattribute $1 tmpfile;
+')
+
+define(`files_create_private_tmp_data_depend',`
+attribute tmpfile;
+type etc_t;
+class dir { getattr search read write add_name };
+')
+
+########################################
+#
+# files_remove_all_tmp_data(domain,[`optional'])
+#
+define(`files_remove_all_tmp_data',`
+requires_block_template(files_remove_all_tmp_data_depend,$2)
+allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
+allow $1 tmpfile:file { getattr unlink };
+allow $1 tmpfile:lnk_file { getattr unlink };
+allow $1 tmpfile:fifo_file { getattr unlink };
+allow $1 tmpfile:sock_file { getattr unlink };
+')
+
+define(`files_remove_all_tmp_data_depend',`
+attribute tmpfile;
+class dir { getattr search read write add_name remove_name rmdir };
+class file { getattr unlink };
+class lnk_file { getattr unlink };
+class fifo_file { getattr unlink };
+class sock_file { getattr unlink };
+')
+
+########################################
+#
+# files_manage_general_lock_files(domain,[`optional'])
+#
+define(`files_manage_general_lock_files',`
+requires_block_template(files_manage_general_lock_files_depend,$2)
+allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
+allow $1 var_lock_t:file { getattr create read write setattr unlink };
+')
+
+define(`files_remove_general_lock_files_depend',`
+type var_lock_t;
+class dir { getattr search create read write setattr add_name remove_name rmdir };
+class file { getattr create read write setattr unlink };
+')
+
+########################################
+#
+# files_remove_all_lock_files(domain,[`optional'])
+#
+define(`files_remove_all_lock_files',`
+requires_block_template(files_remove_all_lock_files_depend,$2)
+allow $1 lockfile:dir { getattr search read write add_name remove_name };
+allow $1 lockfile:file { getattr unlink };
+')
+
+define(`files_remove_all_lock_files_depend',`
+attribute lockfile;
+class dir { getattr search read write add_name remove_name };
+class file { getattr unlink };
+')
+
+########################################
+#
+# files_read_general_system_resources(domain,[`optional'])
+#
+define(`files_read_general_system_resources',`
+requires_block_template(files_read_general_system_resources_depend,$2)
+allow $1 usr_t:dir { getattr search read };
+allow $1 usr_t:{ file lnk_file } { getattr read };
+')
+
+define(`files_read_general_system_resources_depend',`
+type usr_t;
+class dir { getattr search read };
+class file { getattr read };
+class lnk_file { getattr read };
+')
+
+########################################
+#
+# files_read_system_source_code(type,[`optional'])
+#
+define(`files_read_system_source_code',`
+requires_block_template(files_read_system_source_code_depend,$2)
+allow $1 usr_t:dir search;
+allow $1 src_t:dir { getattr search read };
+allow $1 src_t:{ file lnk_file } { getattr read };
+')
+
+define(`files_read_system_source_code_depend',`
+type usr_t, src_t;
+class dir { getattr search read };
+class file { getattr read };
+class lnk_file { getattr read };
+')

refpolicy/policy/modules/system/files.te

@@ -0,0 +1,116 @@
+attribute file_type;
+attribute lockfile;
+attribute pidfile;
+attribute tmpfile;
+
+# default_t is the default type for files that do not
+# match any specification in the file_contexts configuration
+# other than the generic /.* specification.
+type default_t, file_type;
+filesystem_associate(default_t)
+
+#
+# etc_t is the type of the system etc directories.
+#
+type etc_t, file_type;
+filesystem_associate(etc_t)
+
+#
+# etc_runtime_t is the type of various
+# files in /etc that are automatically
+# generated during initialization.
+#
+type etc_runtime_t, file_type;
+filesystem_associate(etc_runtime_t)
+
+#
+# file_t is the default type of a file that has not yet been
+# assigned an extended attribute (EA) value (when using a filesystem
+# that supports EAs).
+#
+type file_t, file_type;
+filesystem_associate(file_t)
+kernel_make_root_filesystem_mountpoint(file_t)
+
+#
+# removable_t is the default type of all removable media
+#
+type removable_t, file_type;
+filesystem_associate(removable_t)
+
+#
+# root_t is the type for rootfs and the root directory.
+#
+type root_t, file_type;
+filesystem_associate(root_t)
+kernel_read_directory_from(root_t)
+kernel_make_root_filesystem_mountpoint(root_t)
+genfscon rootfs / system_u:object_r:root_t
+
+#
+# home_root_t is the type for the directory where user home directories
+# are created
+#
+type home_root_t, file_type;
+filesystem_associate(home_root_t)
+
+#
+# lost_found_t is the type for the lost+found directories.
+#
+type lost_found_t, file_type;
+filesystem_associate(lost_found_t)
+
+#
+# mnt_t is the type for mount points such as /mnt/cdrom
+#
+type mnt_t, file_type;
+filesystem_associate(mnt_t)
+
+#
+# src_t is the type of files in the system src directories.
+#
+type src_t, file_type;
+filesystem_associate(src_t)
+
+#
+# tmp_t is the type of the temporary directories
+#
+type tmp_t, file_type, tmpfile;
+filesystem_associate(tmp_t)
+
+#
+# usr_t is the type for /usr.
+#
+type usr_t, file_type;
+filesystem_associate(usr_t)
+
+#
+# var_t is the type of /var
+#
+type var_t, file_type;
+filesystem_associate(var_t)
+
+#
+# var_lib_t is the type of /var/lib
+#
+type var_lib_t, file_type;
+filesystem_associate(var_lib_t)
+
+#
+# var_lock_t is tye type of /var/lock
+#
+type var_lock_t, file_type, lockfile;
+filesystem_associate(var_lock_t)
+
+#
+# var_run_t is the type of /var/run, usually
+# used for pid and other runtime files.
+#
+type var_run_t, file_type, pidfile;
+filesystem_associate(var_run_t)
+
+#
+# var_spool_t is the type of /var/spool
+#
+type var_spool_t, file_type;
+filesystem_associate(var_spool_t)

refpolicy/policy/modules/system/init.if

@@ -0,0 +1,69 @@
+########################################
+#
+# init_transition(domain,[`optional'])
+#
+define(`init_transition',`
+requires_block_template(init_transition_depend,$2)
+allow $1 init_exec_t:file { getattr read execute };
+allow $1 init_t:process transition;
+type_transition $1 init_exec_t:file init_t;
+dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`init_transition_depend',`
+type init_t, init_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+#
+# init_sigchld(domain,[`optional'])
+#
+define(`init_sigchld',`
+requires_block_template(init_sigchld_depend,$2)
+allow $1 init_t:process sigchld;
+')
+
+define(`init_sigchld_depend',`
+type init_t;
+class process sigchld;
+')
+
+########################################
+#
+# init_script_transition(domain,[`optional'])
+#
+define(`init_script_transition',`
+requires_block_template(init_script_transition_depend,$2)
+allow $1 initrc_exec_t:file { getattr read execute };
+allow $1 initrc_t:process transition;
+type_transition $1 initrc_exec_t:file init_t;
+dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`init_script_transition_depend',`
+type initrc_t, initrc_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+#
+# init_script_direct_admin_transition(role,domain,[`optional'])
+#
+define(`init_script_direct_admin_transition',`
+requires_block_template(init_script_direct_admin_transition_depend,$2)
+allow $2 initrc_exec_t:file { getattr read execute };
+allow $2 initrc_t:process transition;
+type_transition $2 initrc_exec_t:file init_t;
+kernel_system_role_transition($1,initrc_exec_t,optional)
+dontaudit $2 init_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`init_script_direct_admin_transition_depend',`
+type initrc_t, initrc_exec_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+kernel_system_role_transition_depend
+')

refpolicy/policy/modules/system/init.te

@@ -0,0 +1,444 @@
+# init_t is the domain of the init process.
+# init_exec_t is the type of the init program.
+# init_var_run_t is the type for /var/run/shutdown.pid.
+# initctl_t is the type of the named pipe created 
+#           by init during initialization.  This pipe is used
+#           to communicate with init.
+#
+type init_t;
+domain_make_domain(init_t)
+role system_r types init_t;
+
+type init_exec_t;
+domain_make_entrypoint_file(init_t,init_exec_t)
+
+type initctl_t;
+files_make_file(initctl_t)
+devices_create_dev_entry(init_t,initctl_t,fifo_file)
+
+type init_var_run_t;
+files_make_file(init_var_run_t)
+files_create_daemon_runtime_data(init_t,init_var_run_t)
+
+kernel_transition_from(init_t,init_exec_t)
+kernel_sigchld_from(init_t)
+
+# If you load a new policy that removes active domains, processes can
+# get stuck if you do not allow unlabeled processes to signal init
+# If you load an incompatible policy, you should probably reboot,
+# since you may have compromised system security.
+kernel_unlabeled_sigchld_from(init_t)
+
+kernel_set_selinux_boolean(init_t)
+kernel_read_system_state(init_t)
+kernel_read_hardware_state(init_t)
+kernel_share_state(init_t)
+
+terminal_use_all_terminals(init_t)
+
+domain_signal_all_domains(init_t)
+domain_kill_all_domains(init_t)
+
+files_modify_system_runtime_data(init_t)
+
+libraries_use_dynamic_loader(init_t)
+libraries_read_shared_libraries(init_t)
+
+corecommands_chroot(init_t)
+corecommands_execute_general_programs(init_t)
+corecommands_execute_system_programs(init_t)
+
+selinux_read_config(init_t)
+
+miscfiles_read_localization(init_t)
+
+# Re-exec itself
+allow init_t init_exec_t:file { getattr read execute execute_no_trans };
+
+# For /var/run/shutdown.pid.
+allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
+
+# Run init scripts.  this is ok since initrc
+# is also in this module
+allow init_t initrc_t:process transition;
+allow init_t initrc_exec_t:file { getattr read execute };
+
+# Create unix sockets
+allow init_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow init_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow init_t self:fifo_file { read write ioctl };
+
+########################################
+#
+# the following seem questionable
+#
+
+libraries_modify_dynamic_loader_cache(init_t)
+files_create_runtime_system_config(init_t)
+authlogin_modify_login_records(init_t)
+logging_modify_system_logs(init_t)
+
+# Use capabilities. old rule:
+#allow init_t self:capability ~sys_module;
+# is ~sys_module really needed? observed: 
+# sys_boot
+# sys_tty_config
+# kill: now provided by domain_kill_all_domains()
+# setuid (from /sbin/shutdown)
+# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
+allow init_t self:capability { sys_boot sys_tty_config setuid };
+
+# Modify utmp.
+allow init_t initrc_var_run_t:file { getattr read write setattr };
+
+define(`init_consoletype_optional_policy',`
+consoletype_execute(init_t,optional)
+')
+
+########################################
+#
+# Conditional policy logic
+#
+
+ifdef(`monolithic_policy',`
+ifdef(`consoletype.te',`init_consoletype_optional_policy')
+',`
+optional consoletype { consoletype_execute_depend }
+ifopt (consoletype) { init_consoletype_optional_policy }
+') dnl end monolithic_policy
+
+########################################
+#
+# the following still need to be converted over
+#
+
+# something other then static libs
+allow init_t lib_t:file { getattr read };
+
+# for mount points
+allow init_t file_t:dir search;
+
+# file descriptors inherited from the rootfs.
+dontaudit init_t root_t:{ file chr_file } { read write }; 
+
+
+
+
+
+type initrc_t;
+domain_make_domain(initrc_t)
+role system_r types initrc_t;
+
+type initrc_exec_t;
+domain_make_entrypoint_file(initrc_t,initrc_exec_t)
+
+type initrc_devpts_t;
+terminal_make_pty(initrc_t,initrc_devpts_t)
+
+type initrc_var_run_t;
+files_make_file(initrc_var_run_t)
+files_create_daemon_runtime_data(initrc_t,initrc_var_run_t)
+
+type initrc_state_t;
+files_make_file(initrc_state_t)
+
+type initrc_tmp_t;
+files_make_file(initrc_tmp_t)
+files_create_private_tmp_data(initrc_t,initrc_tmp_t)
+
+allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:passwd rootok;
+
+# Allow IPC with self
+allow initrc_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
+allow initrc_t self:fifo_file { read write ioctl };
+
+allow initrc_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read };
+
+allow initrc_t initrc_state_t:dir { create read getattr lock setattr ioctl unlink rename search add_name remove_name reparent write rmdir };
+allow initrc_t initrc_state_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
+
+kernel_read_system_state(initrc_t)
+kernel_read_software_raid_state(initrc_t)
+kernel_read_network_state(initrc_t)
+kernel_read_ring_buffer(initrc_t)
+kernel_change_ring_buffer_level(initrc_t)
+kernel_clear_ring_buffer(initrc_t)
+kernel_get_sysvipc_info(initrc_t)
+kernel_read_hardware_state(initrc_t)
+kernel_modify_hardware_config_option(initrc_t)
+kernel_read_all_sysctl(initrc_t)
+kernel_modify_all_sysctl(initrc_t)
+kernel_get_selinux_enforcement_mode(initrc_t)
+kernel_list_usb_hardware(initrc_t)
+
+filesystem_register_binary_executable_type(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+filesystem_mount_all_filesystems(initrc_t)
+filesystem_unmount_all_filesystems(initrc_t)
+
+# can_network(initrc_t):
+allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
+corenetwork_send_tcp_on_all_interfaces(initrc_t)
+corenetwork_send_raw_on_all_interfaces(initrc_t)
+corenetwork_send_udp_on_all_interfaces(initrc_t)
+#corenetwork_send_tcp_on_all_nodes(initrc_t)
+#corenetwork_send_raw_on_all_nodes(initrc_t)
+#corenetwork_send_udp_on_all_nodes(initrc_t)
+#corenetwork_send_tcp_on_all_ports(initrc_t)
+#corenetwork_send_udp_on_all_ports(initrc_t)
+corenetwork_receive_tcp_on_all_interfaces(initrc_t)
+corenetwork_receive_raw_on_all_interfaces(initrc_t)
+corenetwork_receive_udp_on_all_interfaces(initrc_t)
+#corenetwork_receive_tcp_on_all_nodes(initrc_t)
+#corenetwork_receive_raw_on_all_nodes(initrc_t)
+#corenetwork_receive_udp_on_all_nodes(initrc_t)
+#corenetwork_receive_tcp_on_all_ports(initrc_t)
+#corenetwork_receive_udp_on_all_ports(initrc_t)
+#corenetwork_bind_tcp_on_all_nodes(initrc_t)
+#corenetwork_bind_udp_on_all_nodes(initrc_t)
+#allow initrc_t net_conf_t:file r_file_perms;
+#sysnetwork_read_network_config(initrc_t)
+
+domain_kill_all_domains(initrc_t)
+domain_read_all_domains_process_state(initrc_t)
+
+devices_get_random_data(initrc_t)
+devices_get_pseudorandom_data(initrc_t)
+devices_add_entropy(initrc_t)
+devices_set_pseudorandom_seed(initrc_t)
+devices_read_framebuffer(initrc_t)
+devices_read_realtime_clock(initrc_t)
+devices_read_sound_mixer_levels(initrc_t)
+devices_write_sound_mixer_levels(initrc_t)
+
+terminal_use_all_terminals(initrc_t)
+terminal_reset_labels(initrc_t)
+
+bootloader_read_kernel_symbol_table(initrc_t)
+
+libraries_modify_dynamic_loader_cache(initrc_t)
+libraries_use_dynamic_loader(initrc_t)
+libraries_read_shared_libraries(initrc_t)
+libraries_execute_library_scripts(initrc_t)
+
+files_get_all_file_stats(initrc_t)
+files_remove_all_tmp_data(initrc_t)
+files_remove_all_lock_files(initrc_t)
+files_remove_all_daemon_runtime_data(initrc_t)
+files_read_general_system_config(initrc_t)
+files_create_runtime_system_config(initrc_t)
+files_manage_general_lock_files(initrc_t)
+files_execute_system_config_script(initrc_t)
+files_read_general_shared_resources(initrc_t)
+files_manage_pseudorandom_saved_seed(initrc_t)
+
+corecommands_execute_general_programs(initrc_t)
+corecommands_execute_system_programs(initrc_t)
+
+selinux_read_config(initrc_t)
+selinux_read_default_contexts(run_init_t)
+
+modutils_read_kernel_module_loading_config(initrc_t)
+
+authlogin_modify_login_records(initrc_t)
+authlogin_modify_last_login_log(initrc_t)
+
+miscfiles_read_localization(initrc_t)
+
+logging_modify_system_logs(initrc_t)
+logging_read_all_logs(initrc_t)
+logging_append_all_logs(initrc_t)
+
+ifdef(`distro_redhat',`
+kernel_set_selinux_enforcement_mode(initrc_t)
+
+files_create_boot_flag(initrc_t)
+
+# Create and read /boot/kernel.h and /boot/System.map.
+# Redhat systems typically create this file at boot time.
+bootloader_create_runtime_data(initrc_t)
+')
+
+#################################
+#
+# Rules for the run_init_t domain.
+#
+
+type run_init_t;
+domain_make_domain(run_init_t)
+
+type run_init_exec_t;
+files_make_file(run_init_exec_t)
+
+
+ifdef(`targeted_policy',`
+# targeted/unconfined stuff
+',`
+corecommands_execute_general_programs(run_init_t)
+corecommands_execute_shell(run_init_t)
+
+filesystem_read_persistent_filesystem_stats(run_init_t)
+
+files_read_general_system_config(run_init_t)
+
+libraries_use_dynamic_loader(run_init_t)
+libraries_read_shared_libraries(run_init_t)
+
+selinux_read_config(run_init_t)
+
+miscfiles_read_localization(run_init_t)
+
+allow run_init_t initrc_t:process transition;
+allow run_init_t initrc_exec_t:file { getattr read execute };
+
+# for utmp
+allow run_init_t initrc_var_run_t:file { getattr read write };
+
+allow run_init_t self:process setexec;
+allow run_init_t self:capability setuid;
+
+allow run_init_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow run_init_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+
+allow run_init_t self:fifo_file { getattr read write };
+
+# often the administrator runs such programs from a directory that is owned
+# by a different user or has restrictive SE permissions, do not want to audit
+# the failed access to the current directory
+dontaudit run_init_t self:capability { dac_override dac_read_search };
+
+devices_ignore_list_device_nodes(run_init_t)
+terminal_ignore_list_ptys(run_init_t)
+') dnl end ifdef targeted policy
+
+
+ifdef(`TODO',`
+
+# Mount and unmount file systems.
+allow initrc_t { file_t default_t }:dir { read search getattr mounton };
+
+allow initrc_t var_spool_t:file rw_file_perms;
+
+allow initrc_t privfd:fd use;
+
+# for cryptsetup
+allow initrc_t fixed_disk_device_t:blk_file getattr;
+
+# Set device ownerships/modes.
+allow initrc_t device_type:chr_file setattr;
+allow initrc_t misc_device_t:{ chr_file blk_file } setattr;
+allow initrc_t fixed_disk_device_t:blk_file setattr;
+allow initrc_t removable_device_t:blk_file setattr;
+allow initrc_t xconsole_device_t:fifo_file setattr;
+allow initrc_t sound_device_t:chr_file setattr;
+
+# Allow access to the sysadm TTYs. Note that this will give access to the 
+# TTYs to any process in the initrc_t domain. Therefore, daemons and such
+# started from init should be placed in their own domain.
+allow initrc_t admin_tty_type:chr_file rw_file_perms;
+
+# Read user home directories.
+allow initrc_t { home_root_t home_type }:dir r_dir_perms;
+allow initrc_t home_type:file r_file_perms;
+
+allow initrc_t udev_runtime_t:file rw_file_perms;
+
+# for lsof in shutdown scripts
+can_kerberos(initrc_t)
+
+#
+# Wants to remove udev.tbl
+#
+allow initrc_t device_t:dir rw_dir_perms;
+allow initrc_t device_t:lnk_file unlink;
+
+#
+#  These rules are here to allow init scripts to su
+#
+ifdef(`su.te', `
+su_restricted_domain(initrc,system)
+role system_r types initrc_su_t;
+')
+
+ifdef(`distro_debian', `
+allow initrc_t { etc_t device_t }:dir setattr;
+
+# for storing state under /dev/shm
+allow initrc_t tmpfs_t:dir setattr;
+file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
+file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
+allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
+')
+
+ifdef(`distro_redhat', `
+# Create and read /boot/kernel.h and /boot/System.map.
+# Redhat systems typically create this file at boot time.
+allow initrc_t boot_t:lnk_file rw_file_perms;
+
+allow initrc_t tmpfs_t:chr_file rw_file_perms;
+allow initrc_t tmpfs_t:dir r_dir_perms;
+
+#
+# readahead asks for these
+#
+allow initrc_t etc_aliases_t:file { getattr read };
+allow initrc_t var_lib_nfs_t:file { getattr read };
+
+')dnl end distro_redhat
+
+#
+# Shutting down xinet causes these
+#
+# Fam
+dontaudit initrc_t device_t:dir { read write };
+# Rsync
+dontaudit initrc_t mail_spool_t:lnk_file read;
+
+# for lsof which is used by alsa shutdown
+dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
+dontaudit initrc_t proc_kmsg_t:file getattr;
+
+
+#################################
+#
+# Rules for the run_init_t domain.
+#
+
+
+ifdef(`targeted_policy', `
+domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+domain_trans(initrc_t, shell_exec_t, unconfined_t)
+', `
+domain_auto_trans(sysadm_t, run_init_exec_t, run_init_t)
+role sysadm_r types run_init_t;
+
+domain_auto_trans(run_init_t, chkpwd_exec_t, sysadm_chkpwd_t)
+
+# for utmp
+allow run_init_t admin_tty_type:chr_file rw_file_perms;
+
+allow run_init_t privfd:fd use;
+allow run_init_t lib_t:file { getattr read };
+
+dontaudit run_init_t shadow_t:file { getattr read };
+
+# often the administrator runs such programs from a directory that is owned
+# by a different user or has restrictive SE permissions, do not want to audit
+# the failed access to the current directory
+dontaudit run_init_t file_type:dir search;
+
+') dnl endif targeted policy
+
+ifdef(`distro_gentoo', `
+# Gentoo integrated run_init+open_init_pty-runscript:
+domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
+')
+
+') dnl end TODO

refpolicy/policy/modules/system/libraries.if

@@ -0,0 +1,85 @@
+########################################
+#
+# libraries_use_dynamic_loader(domain,[`optional']
+#
+define(`libraries_use_dynamic_loader',`
+requires_block_template(libraries_use_dynamic_loader_depend,$2)
+allow $1 lib_t:dir { getattr read search };
+allow $1 lib_t:lnk_file { getattr read };
+allow $1 ld_so_t:file { getattr read execute };
+allow $1 ld_so_cache_t:file { getattr read };
+')
+
+define(`libraries_use_dynamic_loader_depend',`
+type lib_t, ld_so_t, ld_so_cache_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read execute };
+')
+
+########################################
+#
+# libraries_modify_dynamic_loader_cache(domain,[`optional']
+#
+define(`libraries_modify_dynamic_loader_cache',`
+requires_block_template(libraries_modify_dynamic_loader_cache_depend,$2)
+allow $1 ld_so_cache_t:file { getattr read write };
+')
+
+define(`libraries_modify_dynamic_loader_cache_depend',`
+type ld_so_cache_t;
+class file { getattr read write };
+')
+
+########################################
+#
+# libraries_read_shared_libraries(domain,[`optional']
+#
+define(`libraries_read_shared_libraries',`
+requires_block_template(libraries_read_shared_libraries_depend,$2)
+allow $1 lib_t:dir { getattr read search };
+allow $1 lib_t:lnk_file { getattr read };
+allow $1 { shlib_t textrel_shlib_t }:file { getattr read execute };
+')
+
+define(`libraries_read_shared_libraries_depend',`
+type lib_t, shlib_t, textrel_shlib_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read execute };
+')
+
+########################################
+#
+# libraries_read_static_libraries(domain,[`optional']
+#
+define(`libraries_read_static_libraries',`
+requires_block_template(libraries_read_static_libraries_depend,$2)
+allow $1 lib_t:dir { getattr read search };
+allow $1 lib_t:{ file lnk_file } { getattr read };
+')
+
+define(`libraries_read_static_libraries_depend',`
+type lib_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read };
+')
+
+########################################
+#
+# libraries_execute_library_scripts(domain,[`optional']
+#
+define(`libraries_execute_library_scripts',`
+requires_block_template(libraries_execute_library_scripts_depend,$2)
+allow $1 lib_t:dir { getattr read search };
+allow $1 lib_t:lnk_file { getattr read };
+allow $1 lib_t:file { getattr read execute execute_no_trans };
+')
+
+define(`libraries_execute_library_scripts_depend',`
+type lib_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read execute execute_no_trans };
+')

refpolicy/policy/modules/system/libraries.te

@@ -0,0 +1,30 @@
+#
+# ld_so_cache_t is the type of /etc/ld.so.cache.
+#
+type ld_so_cache_t;
+files_make_file(ld_so_cache_t)
+
+# ld_so_t is the type of the system dynamic loaders.
+#
+type ld_so_t;
+files_make_file(ld_so_t)
+
+#
+# lib_t is the type of files in the system lib directories.
+#
+type lib_t;
+files_make_file(lib_t)
+
+#
+# shlib_t is the type of shared objects in the system lib
+# directories.
+#
+type shlib_t;
+files_make_file(shlib_t)
+
+#
+# textrel_shlib_t is the type of shared objects in the system lib
+# directories, which require text relocation.
+#
+type textrel_shlib_t;
+files_make_file(textrel_shlib_t)

refpolicy/policy/modules/system/logging.if

@@ -0,0 +1,64 @@
+#######################################
+#
+# logging_make_log_file(type,[`optional'])
+#
+define(`logging_make_log_file',`
+requires_block_template(logging_make_log_file_depend,$2)
+files_make_file($1,optional)
+typeattribute $1 logfile;
+')
+
+define(`logging_make_log_file_depend',`
+attribute logfile;
+files_make_file_depend
+')
+
+#######################################
+#
+# logging_append_all_logs(type,[`optional'])
+#
+define(`logging_append_all_logs',`
+requires_block_template(logging_append_all_logs_depend,$2)
+allow $1 var_log_t:dir { getattr search read };
+allow $1 logfile:file { getattr append };
+')
+
+define(`logging_append_all_logs_depend',`
+attribute logfile;
+type var_log_t;
+class dir { getattr search read };
+class file { getattr append };
+')
+
+#######################################
+#
+# logging_read_all_logs(type,[`optional'])
+#
+define(`logging_read_all_logs',`
+requires_block_template(logging_read_all_logs_depend,$2)
+allow $1 var_log_t:dir { getattr search read };
+allow $1 logfile:file { getattr read };
+')
+
+define(`logging_read_all_logs_depend',`
+attribute logfile;
+type var_log_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+#######################################
+#
+# logging_modify_system_logs(type,[`optional'])
+#
+define(`logging_modify_system_logs',`
+requires_block_template(logging_modify_system_logs_depend,$2)
+allow $1 var_log_t:dir { getattr search read };
+allow $1 var_log_t:file { getattr read write append };
+')
+
+define(`logging_modify_system_logs_depend',`
+type var_log_t;
+class dir { getattr search read };
+class file { getattr read write append };
+')

refpolicy/policy/modules/system/logging.te

@@ -0,0 +1,4 @@
+attribute logfile;
+
+type var_log_t;
+files_make_file(var_log_t)

refpolicy/policy/modules/system/miscfiles.if

@@ -0,0 +1,20 @@
+########################################
+#
+# miscfiles_read_localization(domain,[`optional'])
+#
+define(`miscfiles_read_localization',`
+requires_block_template(miscfiles_read_localization_depend,$2)
+# FIXME: $1 read etc_t:lnk_file here
+# FIXME: $1 search usr_t:dir here
+# FIXME: $1 read lib_t:file(?)
+allow $1 locale_t:dir { getattr read search };
+allow $1 locale_t:lnk_file { getattr read };
+allow $1 locale_t:file { getattr read };
+')
+
+define(`miscfiles_read_localization_depend',`
+type locale_t;
+class dir { getattr read search };
+class lnk_file { getattr read };
+class file { getattr read };
+')

refpolicy/policy/modules/system/miscfiles.te

@@ -0,0 +1,42 @@
+#
+# catman_t is the type for /var/catman.
+#
+type catman_t;       # , file_type, sysadmfile, tmpfile;
+files_make_file(catman_t)
+
+#
+# cert_t is the type of files in the system certs directories.
+#
+type cert_t;
+files_make_file(cert_t)
+
+#
+# fonts_t is the type of various font
+# files in /usr
+#
+type fonts_t;
+files_make_file(cert_t)
+
+#
+# locale_t is the type for system localization
+#
+type locale_t;
+files_make_file(locale_t)
+
+#
+# man_t is the type for the man directories.
+#
+type man_t;
+files_make_file(man_t)
+
+#
+# Base type for the tests directory.
+#
+#type test_file_t;
+#files_make_file(test_file_t)
+
+#
+# for /var/{spool,lib}/texmf index files
+#
+type tetex_data_t;     # , file_type, sysadmfile, tmpfile;
+files_make_file(tetex_data_t)

refpolicy/policy/modules/system/modutils.if

@@ -0,0 +1,93 @@
+########################################
+#
+# modutils_read_kernel_modules(domain,[`optional'])
+#
+define(`modutils_read_kernel_modules',`
+requires_block_template(modutils_read_kernel_modules_depend,$2)
+allow $1 modules_object_t:file { getattr read };
+allow $1 modules_object_t:dir { getattr search read };
+')
+
+define(`modutils_read_kernel_modules_depend',`
+type modules_object_t;
+class file { getattr read };
+class dir { getattr search read };
+')
+
+########################################
+#
+# modutils_read_kernel_module_dependencies(domain,[`optional'])
+#
+define(`modutils_read_kernel_module_dependencies',`
+requires_block_template(modutils_read_kernel_module_dependencies_depend,$2)
+allow $1 modules_dep_t:file { getattr read };
+allow $1 modules_object_t:dir { getattr search read };
+')
+
+define(`modutils_read_kernel_module_dependencies_depend',`
+type modules_object_t, modules_dep_t;
+class file { getattr create read write setattr unlink };
+class dir { search read write add_name remove_name };
+')
+
+########################################
+#
+# modutils_read_kernel_module_loading_config(domain,[`optional'])
+#
+define(`modutils_read_kernel_module_loading_config',`
+requires_block_template(modutils_read_kernel_module_loading_config_depend,$2)
+allow $1 modules_conf_t:file { getattr read };
+')
+
+define(`modutils_read_kernel_module_loading_config_depend',`
+type modules_conf_t;
+class file { getattr create read write setattr unlink };
+')
+
+########################################
+#
+# modutils_modify_kernel_modules(domain,[`optional'])
+#
+define(`modutils_modify_kernel_modules',`
+requires_block_template(modutils_modify_kernel_modules_depend,$2)
+allow $1 modules_object_t:file { getattr create read write setattr unlink };
+allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
+')
+
+define(`modutils_modify_kernel_modules_depend',`
+type modules_object_t;
+class file { getattr create read write setattr unlink };
+class dir { getattr search read write add_name remove_name };
+')
+
+########################################
+#
+# modutils_insmod_transition(domain,[`optional'])
+#
+define(`modutils_insmod_transition',`
+requires_block_template(modutils_insmod_transition_depend,$2)
+allow $1 insmod_exec_t:file { getattr read execute };
+allow $1 insmod_t:process transition;
+type_transition $1 insmod_exec_t:file insmod_t;
+dontaudit $1 insmod_t:process { noatsecure siginh rlimitinh };
+')
+
+define(`modutils_insmod_transition_depend',`
+type insmod_t;
+class file { getattr read execute };
+class process { transition noatsecure siginh rlimitinh };
+')
+
+########################################
+#
+# modutils_insmod_execute(domain,[`optional'])
+#
+define(`modutils_insmod_execute',`
+requires_block_template(modutils_insmod_execute_depend,$2)
+allow $1 insmod_exec_t:file { getattr read execute execute_no_trans };
+')
+
+define(`modutils_insmod_execute_depend',`
+type insmod_t;
+class file { getattr read execute execute_no_trans };
+')

refpolicy/policy/modules/system/modutils.te

@@ -0,0 +1,114 @@
+attribute can_modify_kernel_modules;
+neverallow ~can_modify_kernel_modules modules_object_t:file { create append write };
+
+# kernel modules
+type modules_object_t;
+files_make_file(modules_object_t)
+
+# module loading config
+type modules_conf_t;
+files_make_file(modules_conf_t)
+
+# module dependencies
+type modules_dep_t;
+files_make_file(modules_dep_t)
+
+type insmod_t;
+domain_make_domain(insmod_t)
+kernel_load_module(insmod_t)
+role system_r types insmod_t;
+
+type insmod_exec_t;
+domain_make_entrypoint_file(insmod_t,insmod_exec_t)
+
+# Rules for /proc/sys/kernel/tainted
+kernel_read_kernel_sysctl(insmod_t)
+kernel_modify_kernel_sysctl(insmod_t)
+kernel_read_hotplug_sysctl(insmod_t)
+
+terminal_use_controlling_terminal(insmod_t)
+
+devices_write_mtrr(insmod_t)
+devices_get_pseudorandom_data(insmod_t)
+devices_direct_agp_access(insmod_t)
+devices_get_zeros(insmod_t)
+
+filesystem_read_persistent_filesystem_stats(insmod_t)
+
+files_read_runtime_system_config(insmod_t)
+files_read_general_system_config(insmod_t)
+
+domain_signal_all_domains(insmod_t)
+
+libraries_use_dynamic_loader(insmod_t)
+libraries_read_shared_libraries(insmod_t)
+
+corecommands_execute_general_programs(insmod_t)
+corecommands_execute_system_programs(insmod_t)
+corecommands_execute_shell(insmod_t)
+
+miscfiles_read_localization(insmod_t)
+
+allow insmod_t insmod_exec_t:file { getattr read execute execute_no_trans };
+
+# Read module config and dependency information
+allow insmod_t { modules_conf_t modules_dep_t }:file { getattr read };
+
+# read modules
+allow insmod_t modules_object_t:dir { getattr search read };
+allow insmod_t modules_object_t:file { getattr read };
+
+allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+
+allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow insmod_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+allow insmod_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
+allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+
+#
+#
+# TODO rules:
+#
+#
+ifdef(`TODO_list',`
+
+allow insmod_t self:capability { dac_override net_raw sys_tty_config };
+
+# for loading modules at boot time
+allow insmod_t { init_t initrc_t }:fd use;
+allow insmod_t initrc_t:fifo_file { getattr read write };
+
+allow insmod_t usr_t:file { getattr read };
+allow insmod_t lib_t:file { getattr read };
+allow insmod_t { var_t var_log_t }:dir search;
+
+allow insmod_t privfd:fd use;
+
+allow insmod_t apm_bios_t:chr_file { read write };
+
+allow insmod_t sound_device_t:chr_file { read ioctl write };
+
+ifdef(`xserver.te', `
+allow insmod_t xserver_log_t:file getattr;
+')
+
+allow insmod_t sysfs_t:dir search;
+allow insmod_t { usbfs_t usbdevfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount;
+
+allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file { getattr read write };
+allow insmod_t devpts_t:dir { getattr search };
+
+can_exec(insmod_t,etc_t)
+
+ifdef(`mount.te', `
+# Run mount in the mount_t domain.
+domain_auto_trans(insmod_t, mount_exec_t, mount_t)
+')
+# for when /var is not mounted early in the boot
+dontaudit insmod_t file_t:dir search;
+
+# for nscd
+dontaudit insmod_t var_run_t:dir search;
+
+') dnl if TODO_list

refpolicy/policy/modules/system/selinux.if

@@ -0,0 +1,82 @@
+########################################
+#
+# selinux_read_config(domain,[`optional'])
+#
+define(`selinux_read_config',`
+requires_block_template(selinux_read_config_depend,$2)
+allow $1 selinux_config_t:dir { getattr search read };
+allow $1 selinux_config_t:file { getattr read };
+')
+
+define(`selinux_read_config_depend',`
+type selinux_config_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_read_default_contexts(domain,[`optional'])
+#
+define(`selinux_read_default_contexts',`
+requires_block_template(selinux_read_default_contexts_depend,$2)
+allow $1 selinux_config_t:dir search;
+allow $1 default_context_t:dir { getattr search read };
+allow $1 default_context_t:file { getattr read };
+')
+
+define(`selinux_read_default_contexts_depend',`
+type selinux_config_t, default_context_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_read_binary_policy(domain,[`optional'])
+#
+define(`selinux_read_binary_policy',`
+requires_block_template(selinux_read_binary_policy_depend,$2)
+allow $1 policy_config_t:dir { getattr search read };
+allow $1 policy_config_t:file { getattr read };
+typeattribute $1 can_write_binary_policy;
+')
+
+define(`selinux_write_binary_policy_depend',`
+type policy_config_t;
+attribute can_write_binary_policy;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_write_binary_policy(domain,[`optional'])
+#
+define(`selinux_write_binary_policy',`
+requires_block_template(selinux_write_binary_policy_depend,$2)
+allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+allow $1 policy_config_t:file { getattr create write unlink };
+typeattribute $1 can_write_binary_policy;
+')
+
+define(`selinux_write_binary_policy_depend',`
+type policy_config_t;
+attribute can_write_binary_policy;
+class dir { getattr search read write add_name remove_name };
+class file { getattr create write unlink };
+')
+
+#######################################
+#
+# selinux_read_load_policy_binary(domain,[`optional'])
+#
+define(`selinux_read_load_policy_binary',`
+requires_block_template(selinux_read_load_policy_binary_depend,$2)
+allow $1 load_policy_exec_t:file { getattr read };
+')
+
+define(`selinux_read_load_policy_binary_depend',`
+type load_policy_exec_t;
+class file { getattr read };
+')

refpolicy/policy/modules/system/selinux.te

@@ -0,0 +1,47 @@
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+type selinux_config_t;
+files_make_file(selinux_config_t)
+
+#
+# policy_config_t is the type of /etc/security/selinux/*
+# the security server policy configuration.
+#
+type policy_config_t;
+files_make_file(policy_config_t)
+
+attribute can_write_binary_policy;
+attribute can_relabelto_binary_policy;
+neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
+neverallow ~can_write_binary_policy policy_config_t:file { write append };
+
+#
+# policy_src_t is the type of the policy source
+# files.
+#
+type policy_src_t;
+files_make_file(policy_src_t)
+
+#
+# default_context_t is the type applied to
+# /etc/selinux/*/contexts/*
+#
+type default_context_t;
+files_make_file(default_context_t) 
+
+#
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
+#
+type file_context_t;
+files_make_file(file_context_t)
+
+type load_policy_t;
+domain_make_domain(load_policy_t)
+
+type load_policy_exec_t;
+domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
+
+selinux_read_binary_policy(load_policy_t)

refpolicy/policy/modules/system/selinuxutil.if

@@ -0,0 +1,82 @@
+########################################
+#
+# selinux_read_config(domain,[`optional'])
+#
+define(`selinux_read_config',`
+requires_block_template(selinux_read_config_depend,$2)
+allow $1 selinux_config_t:dir { getattr search read };
+allow $1 selinux_config_t:file { getattr read };
+')
+
+define(`selinux_read_config_depend',`
+type selinux_config_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_read_default_contexts(domain,[`optional'])
+#
+define(`selinux_read_default_contexts',`
+requires_block_template(selinux_read_default_contexts_depend,$2)
+allow $1 selinux_config_t:dir search;
+allow $1 default_context_t:dir { getattr search read };
+allow $1 default_context_t:file { getattr read };
+')
+
+define(`selinux_read_default_contexts_depend',`
+type selinux_config_t, default_context_t;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_read_binary_policy(domain,[`optional'])
+#
+define(`selinux_read_binary_policy',`
+requires_block_template(selinux_read_binary_policy_depend,$2)
+allow $1 policy_config_t:dir { getattr search read };
+allow $1 policy_config_t:file { getattr read };
+typeattribute $1 can_write_binary_policy;
+')
+
+define(`selinux_write_binary_policy_depend',`
+type policy_config_t;
+attribute can_write_binary_policy;
+class dir { getattr search read };
+class file { getattr read };
+')
+
+########################################
+#
+# selinux_write_binary_policy(domain,[`optional'])
+#
+define(`selinux_write_binary_policy',`
+requires_block_template(selinux_write_binary_policy_depend,$2)
+allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
+allow $1 policy_config_t:file { getattr create write unlink };
+typeattribute $1 can_write_binary_policy;
+')
+
+define(`selinux_write_binary_policy_depend',`
+type policy_config_t;
+attribute can_write_binary_policy;
+class dir { getattr search read write add_name remove_name };
+class file { getattr create write unlink };
+')
+
+#######################################
+#
+# selinux_read_load_policy_binary(domain,[`optional'])
+#
+define(`selinux_read_load_policy_binary',`
+requires_block_template(selinux_read_load_policy_binary_depend,$2)
+allow $1 load_policy_exec_t:file { getattr read };
+')
+
+define(`selinux_read_load_policy_binary_depend',`
+type load_policy_exec_t;
+class file { getattr read };
+')

refpolicy/policy/modules/system/selinuxutil.te

@@ -0,0 +1,47 @@
+#
+# selinux_config_t is the type applied to
+# /etc/selinux/config
+#
+type selinux_config_t;
+files_make_file(selinux_config_t)
+
+#
+# policy_config_t is the type of /etc/security/selinux/*
+# the security server policy configuration.
+#
+type policy_config_t;
+files_make_file(policy_config_t)
+
+attribute can_write_binary_policy;
+attribute can_relabelto_binary_policy;
+neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
+neverallow ~can_write_binary_policy policy_config_t:file { write append };
+
+#
+# policy_src_t is the type of the policy source
+# files.
+#
+type policy_src_t;
+files_make_file(policy_src_t)
+
+#
+# default_context_t is the type applied to
+# /etc/selinux/*/contexts/*
+#
+type default_context_t;
+files_make_file(default_context_t) 
+
+#
+# file_context_t is the type applied to
+# /etc/selinux/*/contexts/files
+#
+type file_context_t;
+files_make_file(file_context_t)
+
+type load_policy_t;
+domain_make_domain(load_policy_t)
+
+type load_policy_exec_t;
+domain_make_entrypoint_file(load_policy_t,load_policy_exec_t)
+
+selinux_read_binary_policy(load_policy_t)